search

KAIST-IS521 / 2018s-gitctf-team3

GNU General Public License v3.0
0 stars 1 forks source link

exploit-bug2 #63

Closed elmisty closed 6 years ago

elmisty commented 6 years ago

-----BEGIN PGP MESSAGE----- Version: GnuPG v1

hQEMAy8nZUIPGP0nAQf+Jb85sgSEv3GUviT5AO7irD031EmSPrsS/hRIWp6HDzaN 7xXgldJkAHdit1rwOh1Q8GLSmZswaud053bOosUxwpNnAax/5nLQ4JEF3IZbp6L1 0pdjcMRG4fPcMHiqWqqOrAoHZx7Bj8AK4Ytr4mMiUSnrW7n3hHBY8Sdl2Tcv2Dek vrdC86tnNoWHXSEBu0RF9z3ehAnJP6hNIBNt5InTgtAgK3DagX66b+RoPRBFnFJm zpQ/zkXH/YCCcL5+A7gQNWCGsuF0vxZtMhjGgpp+B+nM2ds+jddOyEQzHnLwb5oF raAFEBGuvavULb9SNcb9iZRQbuhbIGGWv1lMKYl4xYUBDAO6/NDcVCH0CAEIAO9R 5fYlvOA+OMCmw/EvSamSM1Su6GAuIWC/RJdEsIkWZhBNiYktjV1xV4Bk2ldOr/vL +bAxAHxNqyWQVaYs4bstMSJ4Sxn8VChRuuCrFdW75rnXpsmRwJm/ufb2vpR1Jwch Kzv7tw3ESrg53Um1TWKUNU7dOP5+ApsZqwX7/250Yr2fvpgaGXuGqaDA7XEo2WQB 7uml9xVyhvXqHA9+VfNaYElJJPU/FFRKsk9QmY5vJxZ4a10C71rE615Buxt/Syqi q1BBigD4iXUrXYgLz0GW9jnTvyjXJ5vqr0ZN4AxFRUUyTV4NLdXjnJFg8b/dkunH UiuKvSSYOpColYluy1vS6wFoAGwzYH/5cKxBL10df7OTTlDqyqwenruT1p+DedqW cBK1RR/KWnxwqXguRO5xdzCk8ybG8sgzqh9eaSIvY49dn91AvMO7XBDy2R6K8Rf1 mPkPZ+4R5JMECB6ompdQeK0wnLjWUrU/iTTAKPgGysP5sesLBWi02firsvqCpPD9 9cpKqr2s+kmNAIY+va0akkLpIXOT5c12oLQLUctIrnizcThdl+BoaEpkI9z6RE8Y DgnUHMz7rk4s6PTYP/a1HJsaua/6eUYecHcAzYnprdIoehusTim99qLCrOO9eeJn 80F/o7pTa+OWj+Sv6SunEycuvCKsrLkL14wV//jff/oA03IV1KvvMsLnA/GtV/RJ FAGqBYGOARqvsJpx7fcplimdYuv9TPo2Vo8pHd5ZXGO7L9Mvzuo/+WwT8SwHa1hp E3hLWhLcHa5JPIgcyU9A29EcZxMlTNh3oJD2GZFg+D70D1cnmH4GHnG8CW12wn3D xDnDQ196gtRuGfGEGxZU8W9v4HCquNf/2U6zQOwNYqIanawfYAOsYMUuk1u/Q0ph MheP2nE/ZVjW+cZ8KLT1YSoyUCeKjNZHObJlHO2RF4wa9wdukNX9JOnw3QnCuV5Q TQYNYQ51wfcp5UfmU9nkrHd67DYK4ISWfaRaopUczpMdgtXqhkzvyVc9Vghi7PZf vOhW3afZ2i2TIvvn9lNgqK9gPGiSNfLhanvIPNU7jf+6EQr4gw2yP/t39BOmP8bP Tz/RWFKfyrif4ghccQ04Mni5tzWn5lM3semNlDsfs8K9tcsdLX7e5BBptfLSclpI 8RSPibCp4dZVzPT2qkb+NsJGHzMtpMqJL83rrne6kn8zdFGBDMJcLwfiafsC1qqC gDeJPxAOX4B0BRrbwdJLhI2Y4WtdOxSgCuUmbHwp9zEmR0pKeZUg03SU72/UW8sx LPr1bHGHVmVZD/CXm3jYXBVk6fSZe/XFUrI2H+XrNRB33QsF5noAjeZ59OaVv0ho b+bq1aaA+82i+WfH79xXSdpZ+CkLgc42zuUJZvDoWAxteqbuSkWhqfWM+NO5S7t7 zmVDOQeT5K4UzByb7RMKiY5FwA/rsFD5MK83Ft9OdMtOSiJt9OfEPRrHuIQAcdwm hVGJHzACjS9hD3fr1jmfcbjpj97deczmTfIKvVYpCUL/+RebULhL2la6QElPg6ib 8pCH6Um9i3WfESMsx2uRjAu4qcSBxTfWji3R/hJnaYt201UqBiRVZHej7bjoKeGx kFWR3SQ9gCkTZ31RnM66dGQ3itOii2cmoUClUN67Wu6XSE3pz/qW/oTljl4nAGdi poewnsw9mAYnEZxNxF5+H9ZkqrxPmOjiz6Ku6cNiSLNuVgAKx2bCYt8NcQcu9Cfr kvk+FRUXvdqK8dmrO0NpujGCdRECiX5+aCLX8erTPilmfJ7L6uhMFOMvBBpWX9si AOohdqbjieqePALAJ6tMF6LzAVQh4iQ6vpQMv7IRS8xCMvK9IvTjt1O7+88uHFp0 Uf+b3EqR8fYZK3U86n35NVyEZhLU2DlfHrnY7hXjGw3wGM0Zm3FKq8y7aLt+ni27 4HC9vadqFxWbz6at062DK3zeCim7gOdKmUOw75b4KKbjQYs0ax0iZU8qmCm04jiw Vnv18BLX8ngB9si2xVO39uuWt4696dI65vHuwibwXkN59HHKJXY44nRiBgxrAYwW wyRrv+8Bz7hy68plzJA3QcWkZMQ11M7+ESvY/3BcyxAWPh7+9fIBIpxp6znT8k3G G7ioU6YnaAfjBOLz2KAr8meKgf/9Py0SC6nq1x9AILTGYOTPecclDlskGoNGtccE 3S/SKk31hZNZSYO7npTEeCz+h9Mn528RleuKCi/LbZ9vNCrD/e10Ygzu8ZhOzK7h 2qDkZFvlxutSoVLLGUjZ88aUxtlT/lcs26CBVoGysznd8etDWL9adQZo8DcnzuY6 Lu+PutpBREapxMHj0oYWL5hM6Nk/W2L3iEBkyXfeVLEfa1udN+1/DG4GyRL+ChZC BwyH5iw5itGKmu7aNgyjzWvWTL09TFYPwwKYleSqwJh8mMl3CMMvrXVU0QD5JsMu /BMWpMDfF7B6oxv2iSwoREqzi7b8vrLK+Ck+5dmC+MDxyIAi8/cpohN+j6CIWQMz GUyFFmdnGGhykh6EVA/0Wrjxj73lrXezJYp9Yj9NQTPzh0u2ISr7kIbMccfNUaSv pQH/1CBKHac+Fzjp3QXXvQOSpQWFeXlqpkREK/e8inbWu9X28dp6sIaRkEIz3hFb XaOea3ZFofZjEDz1nnfeOEyRhF2Ea+x+LAlWF5fuv/NTa+nUu1Lza2DRSg3pQqsc gWRTfc99Hgx+zudrtsXzgL3tPCBsGkx1fGrKHsGdhkky9v5cZGOLX9fUGj+16t9c EvP8Gz0Sy47n7RM5o6XJArPIw1NSDUt1C+MQC5fiqC9AqtoJbrDA15JhrCGPPABv qIWVLt/2y9zyWB1P5znp7mV17aYNg5T1mUc7xMtLzV/XPVZJtF0gU97xaMsOIapt bhaITKZVvzc9DUf42SpIj6ARNUDtR6gZ8se3mFx9pAf5HxRGEcMwi1HLzPz08Ooa FCL93tMRSLF/83wwSG1hrhaIDuPh50ti91U/plgzkeTYJrk1zlEVOeEEi8khijfp w64zm7RI/J1V3lwQtOREJkFd1xXwZWMVYu7+/lKIyo/5hUF6sDayY2VQ5kvu9zqz 6dPYELJYNHrSnfHbJwTyqiojouipPPYfJ5zDYFO4bRjUJe7P+FbJxmO60S8c0RYH YPbFwTUkmt5OcrwlUaYGnmEfHFxBuRys2njlTJgxsURZmQam7xw9hlfZNY2Vq1+J 9J0uqGB4+k6a/0ShdRAzw4zdTsFB0Ip5ZPKoVGsGohyafKGiJiTljmRpBN3dygfh d5UxMn2zqbb/6vGiltQbkI67BbSgE85mcHl6nK4rYaIIHCEDnTSMlRz7q+WsnZd4 j1ozh1uWmFWImZvIIn/GQCjZ2DIeOx1f0TarQq+t2egib06ckLzKnphwDbkEKTR6 bBocQ61DTiPJGvvOpepxhjUu1bj6rzYKYaHFanLS+suCyJzylDgMoTsvivyoZXIp MwWxYwpkjCBd80xki277S9HGWpI5LwyX5RYmatSPPkSVCPKisWtgAEoPyD+ij/6+ RBY8EW5QVKaOLSGhk28MH+W7V7F/umybuvXleDtBfQm4Jv9orxxpyTl/ZgAcXsNn hn/PVxEOXXkMMucnyhMZNfH8kcBiZmDf8nC976GdRJRbrN28IYE4bEH2AniegwR7 6wuFJQCxTxbwd2RTeb01EZsbA0dcDxW7H7e6ClI/EXtVaNwpTxpJY57RefmvG3Xf m1rINs+I9jyOnLMub9mDUeTyUR/0lvg9Fq/jHsnNYwe+QXTDUDhq3iRvr90BeqT8 xYzF8XQ5KYVUqYUmwan+wBCFl8u2RQj6OWavW00CakTmyJ6/GCl9MGpqtf88YU6y P5fj =p412 -----END PGP MESSAGE-----

softsec-is521 commented 6 years ago 
About exploit-bug2 (exploit-service branch)
[*] Starting service from 2018s-gitctf-team3 (branch '1ab765aea067276d78665c24541704192594180d')
Sending build context to Docker daemon  305.7kB
Step 1/10 : FROM debian:latest
---> 8626492fecd3
Step 2/10 : MAINTAINER Team3
---> Using cache
---> a8d5c7b36c3d
Step 3/10 : RUN         sed -i 's/deb.debian.org/ftp.daumkakao.com/g' /etc/apt/sources.list
---> Using cache
---> b88e8441565a
Step 4/10 : RUN apt-get update && apt-get install -y make gcc  xinetd
---> Using cache
---> 1b0ea00b0dc9
Step 5/10 : RUN mkdir -p /var/ctf
---> Using cache
---> dc2501c5472a
Step 6/10 : COPY flag /var/ctf/
---> b99c4b6d0783
Step 7/10 : ADD ./service /src
---> 3d8b7423fe51
Step 8/10 : RUN cd /src; make
---> Running in 8f0835c6196c
gcc -no-pie -fno-stack-protector -fno-builtin -O0 -c log.c -o log.o
gcc -no-pie -fno-stack-protector -fno-builtin -O0 -c llist2.c -o llist.o
gcc -no-pie -fno-stack-protector -fno-builtin -O0 -c chatsrv.c -o chatsrv.o
gcc -no-pie -fno-stack-protector -fno-builtin -O0 -o chatsrv log.o llist.o chatsrv.o -lpthread
Removing intermediate container 8f0835c6196c
---> 5fb2657f5f65
Step 9/10 : WORKDIR /src
Removing intermediate container 48f332e229e6
---> 651726484150
Step 10/10 : ENTRYPOINT [ "./chatsrv", "--port=4000" ]
---> Running in 87e382b08ad6
Removing intermediate container 87e382b08ad6
---> df5bda0f753f
Successfully built df5bda0f753f
Successfully tagged 2018s-gitctf-team3-1ab765aea067276d78665c24541704192594180d:latest
eff475fb76bcbc640c3fb5b6ddb5b0e43ea8e0acbbb582246acf82a42b1d8e6f
[*] Started service successfully
[*] Running exploit
Sending build context to Docker daemon   7.68kB
Step 1/10 : FROM debian:latest
---> 8626492fecd3
Step 2/10 : RUN cd /etc/apt &&   sed -i 's/deb.debian.org/ftp.daumkakao.com/g' sources.list &&   sed -i 's/security.debian.org/ftp.daumkakao.com/g' sources.list
---> Using cache
---> 6158c0b6e89c
Step 3/10 : RUN apt-get update
---> Using cache
---> 82d14e093d36
Step 4/10 : RUN apt-get install -y python2.7 python-pip python-dev make
---> Using cache
---> d27cba64d589
Step 5/10 : RUN pip install -i http://ftp.daumkakao.com/pypi/simple pwntools   --trusted-host ftp.daumkakao.com
---> Using cache
---> 5329c37dbe35
Step 6/10 : RUN apt-get install -y python-capstone
---> Using cache
---> 1474065fc08f
Step 7/10 : ADD . /exploit
---> Using cache
---> 165b35ec61bd
Step 8/10 : ENV PWNLIB_NOTERM 1
---> Using cache
---> a269356b6255
Step 9/10 : COPY exploit.py /bin/exploit
---> Using cache
---> 1108f08a4804
Step 10/10 : RUN chmod +x /bin/exploit
---> Using cache
---> 79e64d3a3756
Successfully built 79e64d3a3756
Successfully tagged exploit-1ab765aea067276d78665c24541704192594180d:latest
[x] Opening connection to 127.0.0.1 on port 4000
[x] Opening connection to 127.0.0.1 on port 4000: Trying 127.0.0.1
[+] Opening connection to 127.0.0.1 on port 4000: Done
[*] Failed to run exploit

==========================
[*] Exploit returned : None
[*] Solution flag : dgdEvj0Rdz
[*] Exploit returned a wrong flag string

[*] The exploit did not work.