search

KAIST-IS521 / 2018s-gitctf-team3

GNU General Public License v3.0
0 stars 1 forks source link

exploit-bug3 #81

Closed elmisty closed 6 years ago

elmisty commented 6 years ago

-----BEGIN PGP MESSAGE----- Version: GnuPG v1

hQEMAy8nZUIPGP0nAQf/WW1+kCT7fGds6L5OSgm9xoGwgjOInL3pQTgREuEgPoYt RTg49xuyVPBBmJRJYKEi0exSPW6RK/5lZwa2GMl3zWTwL4Z2Hc6PMGbgSghz0ZxB 9LgAcOfM39ReZdNx/0b3iPOm7Ph/41UPWR+piu70PK3z0xv9A0Wa2I0bZBxjgptH G+7Gp8atvOD6gQRvfsQvVL/fhkAcbszg/XvALYNz2kYht+aL1tsPem9/cZMigMAe fBzpc8m8ZyJ19Hpd7Y6UPZP3UI6Dcg5qUZ0AyKY2/0d6S1uPt28pd9/JLZQM5T5o pudawk1s7OqX7kWudVDsJZNoqtvAFnEJCMKuPSpLZ4UBDAO6/NDcVCH0CAEIANuu E2ZTsTfNpk0RWADlqa8xHkw5HPOiwCuiuk4bp9gdB9Cm/vZE3boJohqq71wFDVKB AyBUzxWR0JcHcZx2vgnjQm2bsItgCYtW86A4yx23Q/Yj6NssUFj+ePXAzMrHrcp9 RDkxZS0ntLsVOc2x3jGJvSCcro5egfD+3KTzISyh93eKE9vo92KDyLndmb9GAmu4 Cd0dCxKZTAjxRn9XOkeL/CWdjqooJhv9tbHIfm9nhtQd4tfEK1w2tZaxXk4CwrwM kbtpfQEwth5/wr49z3ESDgDHpe5o63pLkqrNVyufBjqgH8V/+GEqT/Vw1n8sTnR7 C0/vOW5nzLCzxlxFinTS6wH1QXwVzexDyc8gtX+iC5P92lLMKIrEQLjY7qUhedKz joufw8cJLGik6A1BR1KPAmytBdXxJaRoAECn1+PeaYRBPM1ZWoIgZCAX6gzXXbBB aPM8T1y6gfg/Cr7onJp+BMSiVAKjUBmya9pgs1Ci4DskaQ15Hm/iGjLZBllaNOWQ ju5VZPl+KnIdEDK8k22/K2DX7X61eVr86k9yMqrCbQXFTTaa99NRCq6h3LRcF96T yeIo9+HwXS6YoucGhq2CLpm1HY90byL1twDgeacTZWuI29CsWQBDsMh9U0aNq7aI qCZJcde/X4cm2sosYFA4BZZ951ngDNIpYu6G6YBNQcAgslvAD9aIPxKxcGVcoLoJ +3er2JJ3pNyuIqYkFpnNhhKkxLYqV0sZkl4veOfrw46V7LrxPoSfw8OQSFF0TD10 2UP4+q/f51A1Ze7/HiDHc0K5pXl8b1ynjILFy+JIAlaU5v7WlV6nPLqYfm4YnurP pHF8MIqnu6TeEwLu1AQXiCzPQ9dWvi+Y6Y9s+RvuRzKgDe5Cu3hmCtOHD9e0C+KX BV9V2tEJxq/KLSy+jiQp6Tadsu8xfaklMe9HcJoFeaeaxOV0MbKwCxjbCW5bBbFF 2bmrXQYaUbZycwL5E/sAbIN0Gx9uqyjzwxG6NI9F99uEBORrqHAFWksYepVOOokT kPS51cUC0T9tSVJ6wxayEaDevMdfHcZF6gIkHpEF9z4yUW2Mz7g82GwbRikO7D/G f0qSpHPNMhSx+PTlHTRB09AMtnUxlvLEdEp8qBeRbHwHn0S4cPvzlfZhNkeFjn5c 14PjugP3SNbcagT6ng31ZICmfntcYrrve7mpMGsDKDFVBptNTgJw4E0dXWUYst2v vFHCF34S8zhY6pchQm7LI8iBuZOGzEHYmLcieEZGwY7qjFgsMv2Rz0z8l1ZcJQqa BcAQrppjpd9QisXZt1W6MOTzFeaQpyCbXEVn9zqVkTvrbKi4rSYHPCugHfm+q0xT yTzqCtzerhrg4zf0QqeDbTXCh2QtUBZ6/RA9yRAGKKWUacQj1jsD5Oy2gb+c+L9N XYYkvzpw3BoaxEMVdRSOGqani31//pNtCLVHoayrt7i0ms773uBTmhhxtk9hW8Iv O5HRMB6IAaU3iCcBqVGVMWpiJwnWtRpkqM3Lfg64rDG1QH01CVIH4o5Zqa1q05G9 1I7M4QIWsvNnJUsglgXNLPCjGE7aleO5VuCzgwK4DJ0h+DFv1Xv0chTrNfyyVCqp v803Utqzi/Y4iGjkjRrko0I3HWid02yC7iNE0UKWKwPIUFHg/5HchY67DWmJf/4j al4PLynVuMJIy4gMdp7bXB9zOsa5BbNieGGLIRzb9S+XlVvr98quxpl4H+/ErzHy DCJjAONRXsgYZziUn/wdUkYF5c/DiC3/TbV/yx7/o7ymHku1qub/TQByEOL9Ki/H /AWDFR7PpBwYKXrIIXZE7D8cc2KNLLXs0QV+WeL3nmT7/+vB0/DYra5Mw2Myjo83 xZXa/QUiZXueeyb3E9aU4YhT1hNBSXFSYJGj7myLZI2GXB9Z6P0gkqn5SvymOtEs KR5DXsncS48fPti1pWVCEOyF0YEaWDxBpMLFoxDYdwZSL3ZylD/issSs3Kdn39Uf 3U3chS6y3pl7iqmDJsOn7d/Gzz3Qu7cJKYfSAaDZx1b9LGvzbcEBbr4Wy5ZF/OoO Gp+fQ1NxVS0J8tR6YtFL3fxFUZ05SGvu6Bz1Eax1brd7BhYOnXS/Hyd00VjL0cDd vMOLLCgSSHmcPnRmHn2Aj5bzEeO51Le0cLap71g58COQWzJoSTNUW24ZJY+hdZaj GTYK9QttXeJMgpT7iV5hRRxa5TlR90Bk5iQF3HyFoFs5zXyf5ge3gEQ26Fugs+5i GzXKemBQjdondf3EYZ9uizDbFLPCjaSB7yVxl0pkxB1d9O1MrgEAUXxVuyolY0cJ F9TiQjGVbHsJ1armrBPIiv3sYFm5TM5fuoCIVNxPjG2gsncrA5SO0sx9Y3s3MIiB oebb8rUThpB7w7Tq48zmsmr0PjwCaNUKQIAnHHKRWt4cJtnfxG0Rrk+udrCMyqIM h4+6VUSK1p/0ijjPBVc3eIcOYjal0s7dlFH6fDybpJ00uUgjVpXoZVACoouPUkc9 IqnUJfxEfNFWntsH5VVm81/2AtFwAKwXdqEAjtsvOy6xkWT37sLFCxliyS0IVM1e sArJbvMhi/ov1pCPunTpSxYVayVZI6boW5Y+WXIKPvEDTEjHl36GwTV6IwpxyQcB mV1qSh6TuQvDsRe+bvNSPNI0gMCKQrKYKxvcltt3yMeYR5hhXkv6aHZQ490TXlSC 7RfvlKfY6uMlc5kNv/QzE5DqcY3uzi6ZCTO8c3XCHW5XHXhR7lw35uT6CnlWmjXO abqz2raN64s5D2+6+tlvmzy+vR9LPeyrTnSDm8APkpNyddigjrw1PiEITeVjMCgP HIlj8/FCTFet1Go2SyKIFRsWcIOGSl5o0crxVXrXe5j4OydafERI+kf1q69ea6k5 Psh56soHoozAf2lG20nFcr42hF9uAbmr7RYH6Gj7kViyiyQRASd7ppO2xQXgJhXK QIii8mlutMommfLVjC6fR6PGAgW7OWatSPDeHyBhGGsxw0Ia0W7BQQ2bPcQotST5 WgMLiYawt1SeBB2xHXeQjQqEdSCk/NB5mNn2M7kye2BxA8d84V7IQGsQiDZiO3MX 6VzGU3mBriGT7gHoqo8sd1XQz0GPfIdd6dlEMzk5FxK6GxkcgODyWq/Yrz7xZTw9 KM/c2qUvNfPM/cc6NvTCGjVglCeCKC/zlDdRD/QAdIkLKJe4A6LQ325e9KhmYv7G 0GStccg4UEn38AoatVrxgYjx6CQwO9E1qVKSRfOFKBmysf3rkhZvqU6FVpS+D3UJ 3wwPSKORWWFKgIuwDRKsIk15GFkwxz6BS9yG/hFjCCopFWEl1uvwD7xo8pTbyxQB oe/F678r8qK7tZ9pEFEpJyMU2FVHlDcsyQ67jA6ef9s1NdVqyQ8RomlYvgVQU/PN +1S3OiLtzfWm8BPqQ3uDOzzrxgbYDZYa3ryTLn6YmhftLewzz3HdkRIA6tmyapqF zptmAX8p6x94POXWqwSEXS2stYwjOnaTRZNu9O3OU/9YPpAaLNElCfI/m5GlyeJr qbreZ6g+Sd3OAUR//fnonuj2Z5w4hkg9g58ZkO3Yz2rpsol3jE+Yt/byLP95xiZj DReW86AP+SKBsH+AeCGkIMXr+sbRQBg3Ym4mi+xjipLzlDjZye8eHaoivcjNQdob v8ZGQ9UstC7I++f8YLoxLiflIFm4jpwE/zaXum8uC+JJDzixqfEIUSyrrab2fbFn ImMFFQfKRYY2cs3WdSkZOA2+w5R1jl2IgzO8C6xTTk7rwDLd+5RpavzoDDDjoL5n 2OfPGiT9nmSV0EVFKdGK3GdIkWH76ZKUd1PQbKtE2erWbCQudjD4H8EJsrJWAuXk xwwBmnWrqWDPbJnS5YILThcCoUAtgDE+TLhiLXmxq2OpukhwHvMEZhlHEb3fpm2y cLq9a5u/6a8wqgfQUkXT9xlXQz5T0m1l1LZF+XHhVlc6VDZGjy+DaSrUPhhHwC9z OSKTYMuvOA6NSXUUkhkXkMQOT/lVv/SBUiC6NIURAnpnYFuIbGipAqrPZZs98VCF H0GRsrroA+tAvKj5ALlpvZn4C/KfG96cq3SoVc1rCm1oppb7+g== =g0EN -----END PGP MESSAGE-----

softsec-is521 commented 6 years ago 
About exploit-bug3 (exploit-service branch)
[*] Starting service from 2018s-gitctf-team3 (branch 'f8b12f6abaac0d89cf5356ad7a6d7fae3e9a45e4')
Sending build context to Docker daemon  306.2kB
Step 1/10 : FROM debian:latest
---> 8626492fecd3
Step 2/10 : MAINTAINER Team3
---> Using cache
---> a8d5c7b36c3d
Step 3/10 : RUN         sed -i 's/deb.debian.org/ftp.daumkakao.com/g' /etc/apt/sources.list
---> Using cache
---> b88e8441565a
Step 4/10 : RUN apt-get update && apt-get install -y make gcc  xinetd
---> Using cache
---> 1b0ea00b0dc9
Step 5/10 : RUN mkdir -p /var/ctf
---> Using cache
---> dc2501c5472a
Step 6/10 : COPY flag /var/ctf/
---> 57ee95b9595c
Step 7/10 : ADD ./service /src
---> 7ba77bd05d1a
Step 8/10 : RUN cd /src; make
---> Running in 4bd7fc4c0955
gcc -fno-stack-protector -fPIC -pie -O0 -c log.c -o log.o
gcc -fno-stack-protector -fPIC -pie -O0 -c llist2.c -o llist.o
gcc -fno-stack-protector -fPIC -pie -O0 -c chatsrv.c -o chatsrv.o
gcc -fno-stack-protector -fPIC -pie -O0 -o chatsrv log.o llist.o chatsrv.o -lpthread
Removing intermediate container 4bd7fc4c0955
---> 245d910deee8
Step 9/10 : WORKDIR /src
Removing intermediate container 0da21b7c0cdb
---> a669631b8291
Step 10/10 : ENTRYPOINT [ "./chatsrv", "--port=4000" ]
---> Running in 673a99917b9d
Removing intermediate container 673a99917b9d
---> e836ba326a90
Successfully built e836ba326a90
Successfully tagged 2018s-gitctf-team3-f8b12f6abaac0d89cf5356ad7a6d7fae3e9a45e4:latest
46887b47533dc48411236afd344f67ca8c008503d7d192c9f58d0435bb741be3
[*] Started service successfully
[*] Running exploit
Sending build context to Docker daemon  8.192kB
Step 1/10 : FROM debian:latest
---> 8626492fecd3
Step 2/10 : RUN cd /etc/apt &&   sed -i 's/deb.debian.org/ftp.daumkakao.com/g' sources.list &&   sed -i 's/security.debian.org/ftp.daumkakao.com/g' sources.list
---> Using cache
---> 6158c0b6e89c
Step 3/10 : RUN apt-get update
---> Using cache
---> 82d14e093d36
Step 4/10 : RUN apt-get install -y python2.7 python-pip python-dev make
---> Using cache
---> d27cba64d589
Step 5/10 : RUN pip install -i http://ftp.daumkakao.com/pypi/simple pwntools   --trusted-host ftp.daumkakao.com
---> Using cache
---> 5329c37dbe35
Step 6/10 : RUN apt-get install -y python-capstone
---> Using cache
---> 1474065fc08f
Step 7/10 : ADD . /exploit
---> Using cache
---> 4c8bf32b8abd
Step 8/10 : ENV PWNLIB_NOTERM 1
---> Using cache
---> 8c84de06fba2
Step 9/10 : COPY exploit.py /bin/exploit
---> Using cache
---> 0b8a8352ecf2
Step 10/10 : RUN chmod +x /bin/exploit
---> Using cache
---> 0e75fb7ea3f4
Successfully built 0e75fb7ea3f4
Successfully tagged exploit-f8b12f6abaac0d89cf5356ad7a6d7fae3e9a45e4:latest
[x] Opening connection to 127.0.0.1 on port 4000
[x] Opening connection to 127.0.0.1 on port 4000: Trying 127.0.0.1
[+] Opening connection to 127.0.0.1 on port 4000: Done
Traceback (most recent call last):
File "/bin/exploit", line 38, in <module>
calc_info = long(info[::-1].encode('hex'), 16)
ValueError: invalid literal for long() with base 16: ''
[*] Closed connection to 127.0.0.1 port 4000
[*] Failed to run exploit

==========================
[*] Exploit returned : None
[*] Solution flag : tDVcfuiX5n
[*] Exploit returned a wrong flag string

[*] The exploit did not work.