[PwC Vietnam's hackaday 2017] map writeup
Hi I'm bit from meepwn team. Recently I and my teammates have participated in PwC hackaday contest as team L0s3r and we won first place. Our team is the only team solved this 500 point pwn challenge. Here is my writeup for this challenge. I suggest you should try solving it yourself before reading my writeup.
You can download the binary here
Tips: one_gadget is a greate tool using symbolic execution to find magic gadget in libc.
More about heap exploitation techniques below here and here.
Mitigation:
Canary: enable
Fortify: disable
Nx: enable
Pie: enable
Relo: full
Program logic:
The program allows us to select, add, delete , edit and view map. The two most interesting functionality are select and delete. Using select we can choose a specific map to view. Delete function removes a specific map from memory.
Vulnerabilites:
- The first vulnerability is a heap overflow in add function where it reads the map's name.
- The second vulnerability is in the implementation of select and delete function.
Solution:
- Create a map with the size of a small heap chunk. Select, delete then view it to leak libc base address through des pointer.
- Using the first vulnerability to overwrite des pointer with the address of malloc_hook then edit it with one gadget adress.
- Trigger malloc_hook and get shell.
My exploit code:
You can download the binary here
Tips: one_gadget is a greate tool using symbolic execution to find magic gadget in libc.
More about heap exploitation techniques below here and here.
Mitigation:
Canary: enable
Fortify: disable
Nx: enable
Pie: enable
Relo: full
Program logic:
The program allows us to select, add, delete , edit and view map. The two most interesting functionality are select and delete. Using select we can choose a specific map to view. Delete function removes a specific map from memory.
Vulnerabilites:
- The first vulnerability is a heap overflow in add function where it reads the map's name.
- The second vulnerability is in the implementation of select and delete function.
Solution:
- Create a map with the size of a small heap chunk. Select, delete then view it to leak libc base address through des pointer.
- Using the first vulnerability to overwrite des pointer with the address of malloc_hook then edit it with one gadget adress.
- Trigger malloc_hook and get shell.
My exploit code:
Comments
Post a Comment