Try   HackMD

tinypad

問題概要

ジャンル

exploit

点数

300points

問題文

Host : tinypad.pwn.seccon.jp
Port : 57463

Heap Fun as a Service!

tinypad (SHA1 : 0e6d01f582e5d8f00283f02d2281cc2c661eba72)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)

フラグ

???

挑戦者

pinksawtooth

解法

議論

初動調査

root@kali:~/Desktop# file tinypad 
tinypad: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1333a912c440e714599a86192a918178f187d378, not stripped


gdb-peda$ checksec 
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : FULL

root@kali:~/Desktop# readelf -r ./tinypad 

Relocation section '.rela.dyn' at offset 0x520 contains 13 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000601f98  000600000006 R_X86_64_GLOB_DAT 0000000000000000 free@GLIBC_2.2.5 + 0
000000601fa0  000a00000006 R_X86_64_GLOB_DAT 0000000000000000 __errno_location@GLIBC_2.2.5 + 0
000000601fa8  000700000006 R_X86_64_GLOB_DAT 0000000000000000 _exit@GLIBC_2.2.5 + 0
000000601fb0  000b00000006 R_X86_64_GLOB_DAT 0000000000000000 strcpy@GLIBC_2.2.5 + 0
000000601fb8  000300000006 R_X86_64_GLOB_DAT 0000000000000000 toupper@GLIBC_2.2.5 + 0
000000601fc0  000800000006 R_X86_64_GLOB_DAT 0000000000000000 write@GLIBC_2.2.5 + 0
000000601fc8  000400000006 R_X86_64_GLOB_DAT 0000000000000000 strlen@GLIBC_2.2.5 + 0
000000601fd0  000c00000006 R_X86_64_GLOB_DAT 0000000000000000 __stack_chk_fail@GLIBC_2.4 + 0
000000601fd8  000500000006 R_X86_64_GLOB_DAT 0000000000000000 read@GLIBC_2.2.5 + 0
000000601fe0  000100000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0
000000601fe8  000200000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
000000601ff0  000900000006 R_X86_64_GLOB_DAT 0000000000000000 malloc@GLIBC_2.2.5 + 0
000000601ff8  000d00000006 R_X86_64_GLOB_DAT 0000000000000000 atoi@GLIBC_2.2.5 + 0

mallocとfreeを確認。

root@kali:~/Desktop# ./tinypad 

  ============================================================================
// _|_|_|_|_|  _|_|_|  _|      _|  _|      _|  _|_|_|      _|_|    _|_|_|     \\
||     _|        _|    _|_|    _|    _|  _|    _|    _|  _|    _|  _|    _|   ||
||     _|        _|    _|  _|  _|      _|      _|_|_|    _|_|_|_|  _|    _|   ||
||     _|        _|    _|    _|_|      _|      _|        _|    _|  _|    _|   ||
\\     _|      _|_|_|  _|      _|      _|      _|        _|    _|  _|_|_|     //
  ============================================================================

+------------------------------------------------------------------------------+

 #   INDEX: 1
 # CONTENT: 

+------------------------------------------------------------------------------+

 #   INDEX: 2
 # CONTENT: 

+------------------------------------------------------------------------------+

 #   INDEX: 3
 # CONTENT: 

+------------------------------------------------------------------------------+

 #   INDEX: 4
 # CONTENT: 

+- MENU -----------------------------------------------------------------------+
| [A] Add memo                                                                 |
| [D] Delete memo                                                              |
| [E] Edit memo                                                                |
| [Q] Quit                                                                     |
+------------------------------------------------------------------------------+
(CMD)>>> A

(SIZE)>>> 257
(CONTENT)>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Added.
+------------------------------------------------------------------------------+

 #   INDEX: 1
 # CONTENT: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

root@kali:~/Desktop# python -c "print len('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')"
256

256文字以上は保存されない

Last changed by 
Yuki MIZUNO
0
600
Published on HackMD