CafeM0ca

[LOB]level17 succubus 본문

Hacking/LOB(Red Hat)

[LOB]level17 succubus

M0ca 2018. 1. 20. 06:22
반응형

ID:succubus

PW:here to stay


checking &strcpy(0x8048410)

strcpy have two parameter.(dest,src)


strcpy's ret is "AAAA"

So change ebp+48 address. using strcpy

dest is ebp+48. src is excuting shell address. put on buffer or argv[1] or anywere


payload

buffer(libc_system+system's ret+&/bin/sh+"\x90"*32+&strcpy+"AAAA"(fixed)+&(ebp+48 - AAAA)+&buffer

&ebp+48 change to buffer's address.

eip excute system("/bin/sh"). get /bin/sh using getenv.


exploit

반응형

'Hacking > LOB(Red Hat)' 카테고리의 다른 글

[LOB]level19 xavius  (0) 2018.02.04
[LOB]level18 nightmare  (0) 2018.01.23
[LOB]level16 zombie_assassin  (0) 2018.01.19
[LOB]level15 assassin  (0) 2018.01.18
[LOB]level14 giant  (0) 2018.01.18
'Hacking/LOB(Red Hat)' Related Articles more
Comments