![\"image\"](\"http:\/\/mimumimu.net\/blog\/wp-content\/uploads\/2015\/05\/image.png\" "\\"image\\"")
<\/a><\/p>\n<\/p>\n
\u4e0a\u306e\u65b9\u306f\u300c\u30ec\u30b8\u30b9\u30bf\u300d\u306e\u60c5\u5831\u3067\u3001
\u201dAbout to send ** bytes:\u201d \u306e\u5148\u306b x86_64 \u3063\u307d\u3044\u30d0\u30a4\u30ca\u30ea\u304c
\u9001\u3089\u308c\u3066\u304d\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u304b\u3068\u601d\u3044\u307e\u3059\u3002 <\/p>\n
<\/p>\n
\u3053\u3053\u3067 mzyy94 \uff08\u307f\u3063\u304d\u30fc\uff09\u3055\u3093\u304c
\u300crax=\u2026 \u3092\u305d\u306e\u307e\u307e\u8fd4\u3059\u3068\u3001\u5fdc\u7b54\u304c\u5909\u308f\u308b\uff01\u300d\u3068\u6559\u3048\u3066\u304f\u308c\u307e\u3057\u3066
\u5b9f\u884c\u3057\u3066\u305d\u306e\u7d50\u679c\u3092\u8fd4\u305b\u3070\u3044\u3044\u306e\u304b\u306a\u3001\u3068\u3044\u3046\u3053\u3068\u3067\u3084\u3063\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n
<\/p>\n
Code:<\/p>\n
#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <arpa\/inet.h>\n#include <string.h>\n#include <sys\/mman.h>\n \nstatic char* code;\nstatic unsigned long reg[15];\n \nvoid main(void)\n{\n int sock;\n struct sockaddr_in server;\n \n memset((void*)&server,0,sizeof(server));\n server.sin_addr.s_addr = inet_addr("52.74.101.145");\n server.sin_family = AF_INET;\n server.sin_port = htons(9999);\n \n sock = socket(AF_INET,SOCK_STREAM,0);\n if(sock == -1) return;\n \n if(connect(sock, (struct sockaddr*)&server, sizeof(server)) < 0)\n return;\n \n while(1)\n {\n char buf[4192];\n int i,codesize,pagesize;\n \n memset(buf,0,sizeof(buf));\n read(sock,buf,sizeof(buf));\n \n printf("INPUT : \\n%s\\n",buf);\n \n {\n char *tp;\n \n tp = strtok(buf,"\\n");\n for(i = -1; tp != NULL; i++)\n {\n if(strstr(tp,"=") != 0)\n reg[i] = strtouq(strstr(tp,"=")+1,NULL,0);\n tp = strtok(NULL,"\\n");\n }\n }\n\n read(sock,buf,sizeof(buf));\n codesize = atoi(buf+0x37);\n \n if(codesize == 0)\n break;\n \n pagesize = sysconf(_SC_PAGE_SIZE);\n code = memalign(pagesize,pagesize);\n \n memset(code,0xC3,pagesize);\n memcpy(code,buf+0x42,codesize);\n printf("CODESIZE : %d bytes.\\n",codesize);\n \n if(mprotect(code,pagesize,PROT_READ | PROT_EXEC) < 0)\n {\n free(code);\n return;\n }\n \n printf("EXECUTE..");\n \n asm volatile ("movq (reg),%rax");\n asm volatile ("movq (reg+8),%rbx");\n asm volatile ("movq (reg+16),%rcx");\n asm volatile ("movq (reg+24),%rdx");\n asm volatile ("movq (reg+32),%rsi");\n asm volatile ("movq (reg+40),%rdi");\n asm volatile ("movq (reg+48),%r8");\n asm volatile ("movq (reg+56),%r9");\n asm volatile ("movq (reg+64),%r10");\n asm volatile ("movq (reg+72),%r11");\n asm volatile ("movq (reg+80),%r12");\n asm volatile ("movq (reg+88),%r13");\n asm volatile ("movq (reg+96),%r14");\n asm volatile ("movq (reg+104),%r15");\n \n asm volatile ("call *code");\n \n asm volatile ("movq %rax,(reg)");\n asm volatile ("movq %rbx,(reg+8)");\n asm volatile ("movq %rcx,(reg+16)");\n asm volatile ("movq %rdx,(reg+24)");\n asm volatile ("movq %rsi,(reg+32)");\n asm volatile ("movq %rdi,(reg+40)");\n asm volatile ("movq %r8,(reg+48)");\n asm volatile ("movq %r9,(reg+56)");\n asm volatile ("movq %r10,(reg+64)");\n asm volatile ("movq %r11,(reg+72)");\n asm volatile ("movq %r12,(reg+80)");\n asm volatile ("movq %r13,(reg+88)");\n asm volatile ("movq %r14,(reg+96)");\n asm volatile ("movq %r15,(reg+104)");\n \n printf("DONE.\\n");\n free(code);\n \n memset(buf,0,sizeof(buf));\n sprintf(buf,"rax=0x%llx\\nrbx=0x%llx\\nrcx=0x%llx\\nrdx=0x%llx\\nrsi=0x%llx\\nrdi=0x%llx\\nr8=0x%llx\\nr9=0x%llx\\nr10=0x%llx\\nr11=0x%llx\\nr12=0x%llx\\nr13=0x%llx\\nr14=0x%llx\\nr15=0x%llx\\n",reg[0],reg[1],reg[2],reg[3],reg[4],reg[5],reg[6],reg[7],reg[8],reg[9],reg[10],reg[11],reg[12],reg[13]);\n \n printf("OUTPUT :\\n%s\\n",buf);\n write(sock,buf,strlen(buf));\n }\n}<\/pre>\n<\/div>\n <\/p>\n
\u5185\u5bb9\u3068\u3057\u3066\u306f\u3001\u30ec\u30b8\u30b9\u30bf\u306e\u521d\u671f\u5024\u3092\u6301\u3063\u3066\u304d\u3066\u3001
\n
\u81ea\u5206\u81ea\u8eab\u306b\u5bfe\u3057\u3066\u305d\u306e\u5024\u3092\u8a2d\u5b9a \u2192 \u5b9f\u884c \u2192 \u30ec\u30b8\u30b9\u30bf\u306e\u5024\u3092\u53d6\u5f97\u3057\u3066\u9001\u308a\u8fd4\u3059\u3002 <\/p>\n
\u3068\u3044\u3046\u6d41\u308c\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n
..\u305d\u3093\u306a\u611f\u3058\u3067\u5b9f\u884c\u3057\u307e\u3059\u3068\u3001 <\/p>\n
FLAG IS : Cats with frickin lazer beamz on top of their heads! <\/p>\n
\u3068\u3044\u3046\u3053\u3068\u3067\u8fd4\u7b54\u304c\u5e30\u3063\u3066\u304d\u307e\u3059\u3093\u3067\u3001\u3053\u308c\u3092\u9001\u308b\u3068\u5f97\u70b9\u304c\u3048\u3089\u308c\u307e\u3057\u305f\u3002<\/p>\n
<\/p>\n
\n\u4f59\u8ac7\uff1a<\/p>\n