Pwnable.kr Level 1 WriteupLast updated:Mar.23, 2017 CST 23:47:23
Just make some notes. Totally used about 24 hours.
The admin said that the writeup of other levels should not be shared...But it will not affect me yet, since I haven't do them yet ;).
Just use perl
Notice, the padding should be 52, not 32. And your terminal emulator might do bad things....
RCE. So easy. Unpack manually and break at memcpy.
How to override fflush()?
Try to learn something about rand() and srand()...
Complex. But just try... Kind of boring.
You need to see how the ARM fetch instructions. Interestring!
Time to print an priority table of C, and paste on your laptop.
Just normal things. Nothing to mention about it.
good practice for the algo
Another example of wrong type
cmd1 and cmd2
Many solutions are using PATH. But I love vim.
Block size is 0x18 bytes, so we need to free and get two 18 bytes block via the second option, which means the previous two blocks can be written. We can write a fake vTable address and modify the function pointer.
At least two available solutions:
- Write a debugger snippet to check parameters and return values of malloc
- Use "Heap Analyzer" in the Visual Studio
If you got a SIGSEV, it might be caused by unaligned memory. Try to solve it. Notice that the management structure also took some space.
Simple. Learn to use pwntools.
Looks like ptmalloc unlink. But site admin's solution is interestring.