search

KAIST-IS521 / 2018s-gitctf-team2

1 stars 1 forks source link

exploit-bug1 #77

Closed AhnMo closed 6 years ago

AhnMo commented 6 years ago

-----BEGIN PGP MESSAGE----- Version: GnuPG v1

hQEMAy8nZUIPGP0nAQgAnmj9xCV6IDZUWFDkp7k6qgooeKESnLQme7Avy0MAyfVY Sn6fvDCaxQmlQmNj4IhdyuceX+WvnpIJBt9DAh60TtaCPs5LvOVpdRuFn0MRrg8G mOll/rtkGR+qr7Sw+t0RyR15NpA+ZS/OYhV3fZCLxIh/KhxT4JgM+cwZpA5Oi3cj Em2GCE5lgUP5yIQ2Pg+Lyo+u512SpVqi3+0bUVVMUu5BQnw3oEKJYufK5D5opn51 XeOuZMsGzumZBB5gh7JI2d9O0Hv+0OOpIIByXgxhFOoMQhgfrRI4gs+UYLLYmSyD 45pFuqSXRzpdxKQjjQ9ZG8gCGkr90M6H/N4pLvGhf4UCDAM4dsjNUVw9egEP/AqH DEuwuN8KkZp74N6QYFeptU/5cI9ltC9rQtMjPofZG6UY8i2G9V6vaWLVYEj6YDhx UcSUF2uF8Lbj/rCl3CyKep8C3iPREMw/27HITcmQMPAn+H9pszLzvV2bGVB5iPhG mL2BBEi+FSH59fyqBiAKvx06SAvUYOuIy/iqtgQV3Yd9x5Wb08U5Qai83XFnL2op BgKuyRxR2fASlJ/5kggCu0jWdTwBAUC7fHEYvMh/63IQlQ4t7HEP2iT7NjJGQP7k fGuC2xCYhy520bo/DyR8DSfhOOJ/oA5MSD8bRultxbboWmhErQzCe+/5/rx/9Z7q KDICVqNKqif5BLIHqrfrDfqu2W70XPTSLRr10edKZr92aN5mTac4SmeD6dVesPlM aYhkwsR14X+9UG6HhmWPuiQZY56WDiisTmOouvg05T3jdxfpomvFtXq4RKy32s+W K4YECuf6QmB6fd6sJO6frrS4kCiq03FF/xTAMhYokbW277OsK04Jki1aNjZwTD06 Yv1a8i1XatlmD79jmXB0o9vZuBuecxX5N7SVUFpuMUZYGbE6vMpvd6qnkYTY2R4w +izf3ldgqd+7vmWSHzSymjabiaRVxAGRJusAc5bUByvsaGnEEO7XKbVgZmM54pq2 63D0zRL1jZYY6eiTN/UoevFaT+cI/qvkpSY00KBy0usB46TmCF9YqriBxd3/Yb22 hlWsMwn5lt+XAbkCN2R9kbWk2aABQBNPlmlaDSKyLwY9SoG48l1FNBQ8vYOqgnlZ HwXEYee1oMPwxt9DTFotJjJhM/nSdHuXq+1rH3CVKpbVg4l9igVUhYKweKlVwW8L 1ORa+Hjb/BMHxfY919DVGF1nmW8KncDWRfs3FDGb9enhDLouo/tIowBCahw/2Qv/ 4qzznEDTeSEDPh8bPhojKNq1qCjY2AOkfXPmplUCL6jhBCmUxFVzsQAcTUX+91rr waBIJ28Wu4PID4a26PKweqy4G000KhdKoGF26T/EcgoBCIIYaed33nyUI+2SJ3Nf 1mD9EpNKvq/dRMTGLSJBB8JgWjfi99DDZ6wwiEnTrRcUuLsMH9eFUyPdukPsUHC5 Sot4aTjyWZ08oJGd5/o92eyoiY6iFj0iiYkF4raUX7iMqkcx2J8iVMi9dNok0mWv 3ktoetXVfOMrRH2ZV+SkkZncSrkZc8qaiXv0Na2h7RvuqoJpC/MgvNBxRUJ07V/4 5g54A+NL2VBuW8p9lVKLJDelzTXjhVr0THg4kdqzO9cxac7PoBnZY+mUSMSkYItB PXibHO/+MpaCrO/iBSb0FZ8BeSsB/Bk49l9heRmEL+3/U8ctibRwVQs0Fv5VKWQU rdfYKMePK6cCpWftg9BJjPBCL1ZiC3sbGMPsZIW46aOLXVx7tZPpZLvK3npCnAro 3UVOWWjZCnFRhQ+ADHZA5CjPKz51Q6SHt2foXkBvIpGVyNqcwb6S5H0rSY2HwtGy pJbIczs0JC7O3JMZd+dfsa0ZQGkrgFIe9Z4sxOIKMbwT63nz23FrUbRakZNwdpH0 suwyC1bYt9qYdpE6o4N2ZPPRPtkdv589RX1zuP691Ro6XZyrMtgtRYVapJ68SN8n dF7SsUoBVeGQpGvSpEYI2pGrSsC5N2+lf3xqAAuTtMtwUCVAuC4RpHzTUhcM70o5 +P8tXX8eKkNd2uRNXp7t+DqhtmcYcVd0lVdNumGEuAbOKwPMb9eok+GoStCsOi/u MDYO6MIMZVc6MRRMuI+gjMtCv6YWwJPvVyeIJw5ujtNDtSI/4JNfhf6rnE+aE0s1 6/PEsjc8dwJkNfquV0r8CGszIo3vAP+dDZgvRGnXtltSzC/duVHOtHshNrIbX4ag nSStJfdLVzjKVt1n6ZapkXdI0bDA0Uf+Ez6RlSOZbvx/O3PzNI+F0sEV+U49E07d PMOS6pFI6h76/u6QXFSmAxa4dmEUfp1v5maSxky2/iKH8P82+cV+rMNWKHzFm785 8FD3ffgdW5SBphFS8Az3IRc+IuMY2fcqg/1oDM20zWug0cOFsQ4OkNRpoQiB/7Vt otd+jchYYxWEgyyuI/zp8I5skSqlCcDALmKGMiio+L4lLzEPENep/4AFjMLWiZiI I2e50oWND5GBC2eADXQ2mzhs39GRsDnEa7udAhXRZ1N119YMtjC6s3uXFp3xQaCm x2G/oyz4qwqVqK5xjxUnWnWC9AYHeuMWfXPsxjL/S9wCoK2As7DgKKtRcbLwoadU 0sqnRgf+kYvcyPO/Jj0eSmCT6Ax2lv4D62UZ7p8UefvkXs2VN34sVgfVzshFr7iA 8cYAUc99WiMhiQiQUtcXNesROnepPiFHC+Ab1dyEIewdYjgsuEr0MfY9ukEMr8Xe l5QDr2S16FGNQ3t6bHrbnkgJfDl6/oFu9rFkxn66z04cttcGTgCgMTWGAOtcFRip A1WXYZJ1wf5pNMoxwqbrCTwTtG/9jSGjmcTTUBWOFSABgEWqu/RPYXrC43puYBv3 klsAO022/K+ZlNGvm1ASJyoX+hunl+AiZfhwxwUEIFkjfiz5OKyHpBUPeas7Gcem 1cKpmKztDH9XP+ecA+mU3kUYS7tUB1ZwMA3zaL8whrI6cL9p2kY7ooJXj9LjQuKa OptkjYBgWB/Bxyui112E8q4zaVOtJb2NKVewgKBbqbvtO0CAjNJhfaLQXLXIY9j+ grbK/mHMISF1rc2kWSdLKhaoz5/YaFq5wYE60+bdl71emF1hZ+yWlLlsiKUnEiZC V6QbBJ5PgRyzkvkVp5eSv/EBjl00f/QuVnhnvdAc1fOr35Toec4H3IgM8H2aiFbU ofVgJtVp0nmUgxvMs+JTYmaypfjgbGcXmys9yaCNkOwNZFh8DVN8e8OmnCCoJC/5 wkVGocK4ETrgCXHBtXULFwkmRWtqHuvNuT3SgI5AS1F1lf6kL9orGJp2Z4rbQprV AUwegjfEZOq0eBn4LALxQT06QwGXojL3PQTeKxcExnIziQH4CTzBzU5boAvkoWAp N4aJWkQv3930UyhtBiNnqA7cgzDnrAFuPjQhe5AlkQBoUdyXLsiYHdm6OoUeXzHJ 2uSOWgzDUoGKylmV7KS5HiQHt1L1YGuaA6p8t2U7xMeyPuaxv+mbAmWlRc6iWRBj spexb6abkwMqnuRPJZL2w2Fb5flrTsClePD63fAz4OyM7kb1VPNMpQ9NlGf2rVyc TmO4RUy8gL55nzBN8Tvrp1KRCLjr+J7DvX7eF/tCNs6lsniPIqKd5SV7+WvDNpx+ eCnur4TWdeDxq2KQxhN1tgvBZw5uQq4MBBa5zyfxyHSlQ5OfsxMKQXkUNxP0BIqh YRzCPlszVcbVzFOJ02GPvD+LfEgu86bIox2dzF2DmEhgBJppeg2wuuFjTL41/ird xH+YZptLqCYomg+lqFRSXcAnMrhBa9TFgXRPuL8aBVgLIPMztiyzmIu4RapKHPPO RxN54HzvgIsvqXymeOy5DymHilr1xKJV0QCyH6614JebRAbShai32LXPevHFFOAT DCuTUhEGZ58Il0JeBogZ8YHKdh9YWoukmjKz1yYrlOXChQmCxIon+Dkvjo/DngD2 rIAzRbt6D0zjzerplrLXCVnuf+iA4zoEuzl+63xC9Nga11/jgBrMQavrOFn68duk 4wUhdf66QO7R4FywUvnhu5J8PviNYi6Gi1b+SqD7Ke096v/X1JFeM9Mu8xOI7dog TXYjOK0esbcV =RIll -----END PGP MESSAGE-----

softsec-is521 commented 6 years ago 
About exploit-bug1 (exploit-service branch)
[*] Starting service from 2018s-gitctf-team2 (branch '30944e62425132c5df42f9706244f4f6437d15cb')
Sending build context to Docker daemon  302.6kB
Step 1/9 : FROM debian:latest
---> 8626492fecd3
Step 2/9 : RUN cd /etc/apt &&   sed -i 's/deb.debian.org/ftp.daumkakao.com/g' sources.list &&   sed -i 's/security.debian.org/ftp.daumkakao.com/g' sources.list
---> Using cache
---> 6158c0b6e89c
Step 3/9 : RUN apt-get update && apt-get install -y make gcc procps
---> Using cache
---> 37d88ec252ac
Step 4/9 : RUN apt-get install -y gdb
---> Using cache
---> 662a905d408d
Step 5/9 : RUN mkdir -p /var/ctf
---> Using cache
---> f104ee201070
Step 6/9 : COPY ./flag /var/ctf/
---> ec4f30a46a3f
Step 7/9 : ADD . /src
---> 84099e17693d
Step 8/9 : RUN cd /src; make clean; make
---> Running in a519a16c90b0
rm -f server cclient testing.o
gcc -z now -no-pie -o cclient -Wall tcp_client.c
tcp_client.c: In function 'message':
tcp_client.c:311:56: warning: format '%d' expects argument of type 'int', but argument 2 has type 'size_t {aka long unsigned int}' [-Wformat=]
printf("Error, message to long, message length is: %d\n", strlen(text));
^
tcp_client.c:288:8: warning: variable 'command' set but not used [-Wunused-but-set-variable]
char *command, *handle, *text, *orig;
^~~~~~~
tcp_client.c: In function 'broadcast':
tcp_client.c:341:55: warning: format '%d' expects argument of type 'int', but argument 2 has type 'size_t {aka long unsigned int}' [-Wformat=]
printf("Error, message to long, message length is: %d\n", strlen(text));
^
tcp_client.c:325:8: warning: variable 'command' set but not used [-Wunused-but-set-variable]
char *command, *text, *orig;
^~~~~~~
gcc -z now -no-pie -o server -Wall tcp_server.c
Removing intermediate container a519a16c90b0
---> e413ca804710
Step 9/9 : ENTRYPOINT ["/src/server", "4000"]
---> Running in 6cb2b50d672b
Removing intermediate container 6cb2b50d672b
---> 55b076452daa
Successfully built 55b076452daa
Successfully tagged 2018s-gitctf-team2-30944e62425132c5df42f9706244f4f6437d15cb:latest
01b734d4a6528b26a2c41332c87ced0d52cbb248360417a7c9b51cbfc6003a48
[*] Started service successfully
[*] Running exploit
Sending build context to Docker daemon  6.656kB
Step 1/7 : FROM debian:latest
---> 8626492fecd3
Step 2/7 : MAINTAINER AhnMo
---> Using cache
---> 0c0d7e3d57b2
Step 3/7 : ENV DEBIAN_FRONTEND noninteractive
---> Using cache
---> a951bcadc150
Step 4/7 : RUN sed -i 's/deb.debian.org/ftp.daumkakao.com/' /etc/apt/sources.list &&     apt-get update &&     apt-get install -y python-pip python-dev
---> Using cache
---> a947e98a6324
Step 5/7 : RUN rm -rf /var/lib/apt/lists/* &&     apt-get clean
---> Using cache
---> dd569990ea0d
Step 6/7 : COPY exploit.py /bin/exploit
---> Using cache
---> f05127eb5bb1
Step 7/7 : RUN chmod +x /bin/exploit
---> Using cache
---> d3ba1969044a
Successfully built d3ba1969044a
Successfully tagged exploit-30944e62425132c5df42f9706244f4f6437d15cb:latest
''
Traceback (most recent call last):
File "/bin/exploit", line 48, in <module>
socket_real2 = u64(socket_real)
File "/bin/exploit", line 8, in <lambda>
u64 = lambda x: unpack("<Q", x)[0]
struct.error: unpack requires a string argument of length 8
[*] Failed to run exploit

==========================
[*] Exploit returned : None
[*] Solution flag : 5OJTUehqID
[*] Exploit returned a wrong flag string

[*] The exploit did not work.