DEFCON 25 Quals r0pbaby 2015年5月19日
description
r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me:10436
This is a x64 ELF binary. We can find vulnerability
% ./r0pbaby_542ee6516410709a1421141501f03760 Welcome to an easy Return Oriented Programming challenge... Menu: 1) Get libc address 2) Get address of a libc function 3) Nom nom r0p buffer to stack 4) Exit : 3 Enter bytes to send (max 1024): 24 AAAAAAAAAAAAAAAAAAAAAAAA 1) Get libc address 2) Get address of a libc function 3) Nom nom r0p buffer to stack 4) Exit : Bad choice. zsh: segmentation fault (core dumped) ./r0pbaby_542ee6516410709a1421141501f03760
To use system function, find “/bin/sh” from libc and ropgadget, “pop rdi; ret”
We can get libc function address. From libcdb, we can get almost same libc binary used in remote server.
Here is an exploit code.
https://gist.github.com/ytn86/2790c1c224825aa2c3a1
Leave a Reply