tinypad - HackMD

--- lang: ja-jp breaks: true --- tinypad === ## 問題概要 ### ジャンル exploit ### 点数 300points ### 問題文 Host : tinypad.pwn.seccon.jp Port : 57463 Heap Fun as a Service! tinypad (SHA1 : 0e6d01f582e5d8f00283f02d2281cc2c661eba72) libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e) ### フラグ ??? ### 挑戦者 pinksawtooth ## 解法 ## 議論 ### 初動調査 ``` root@kali:~/Desktop# file tinypad tinypad: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1333a912c440e714599a86192a918178f187d378, not stripped ``` ``` gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : FULL ``` ``` root@kali:~/Desktop# readelf -r ./tinypad Relocation section '.rela.dyn' at offset 0x520 contains 13 entries: Offset Info Type Sym. Value Sym. Name + Addend 000000601f98 000600000006 R_X86_64_GLOB_DAT 0000000000000000 free@GLIBC_2.2.5 + 0 000000601fa0 000a00000006 R_X86_64_GLOB_DAT 0000000000000000 __errno_location@GLIBC_2.2.5 + 0 000000601fa8 000700000006 R_X86_64_GLOB_DAT 0000000000000000 _exit@GLIBC_2.2.5 + 0 000000601fb0 000b00000006 R_X86_64_GLOB_DAT 0000000000000000 strcpy@GLIBC_2.2.5 + 0 000000601fb8 000300000006 R_X86_64_GLOB_DAT 0000000000000000 toupper@GLIBC_2.2.5 + 0 000000601fc0 000800000006 R_X86_64_GLOB_DAT 0000000000000000 write@GLIBC_2.2.5 + 0 000000601fc8 000400000006 R_X86_64_GLOB_DAT 0000000000000000 strlen@GLIBC_2.2.5 + 0 000000601fd0 000c00000006 R_X86_64_GLOB_DAT 0000000000000000 __stack_chk_fail@GLIBC_2.4 + 0 000000601fd8 000500000006 R_X86_64_GLOB_DAT 0000000000000000 read@GLIBC_2.2.5 + 0 000000601fe0 000100000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0 000000601fe8 000200000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0 000000601ff0 000900000006 R_X86_64_GLOB_DAT 0000000000000000 malloc@GLIBC_2.2.5 + 0 000000601ff8 000d00000006 R_X86_64_GLOB_DAT 0000000000000000 atoi@GLIBC_2.2.5 + 0 ``` mallocとfreeを確認。 ``` root@kali:~/Desktop# ./tinypad ============================================================================ // _|_|_|_|_| _|_|_| _| _| _| _| _|_|_| _|_| _|_|_| \\ || _| _| _|_| _| _| _| _| _| _| _| _| _| || || _| _| _| _| _| _| _|_|_| _|_|_|_| _| _| || || _| _| _| _|_| _| _| _| _| _| _| || \\ _| _|_|_| _| _| _| _| _| _| _|_|_| // ============================================================================ +------------------------------------------------------------------------------+ # INDEX: 1 # CONTENT: +------------------------------------------------------------------------------+ # INDEX: 2 # CONTENT: +------------------------------------------------------------------------------+ # INDEX: 3 # CONTENT: +------------------------------------------------------------------------------+ # INDEX: 4 # CONTENT: +- MENU -----------------------------------------------------------------------+ | [A] Add memo | | [D] Delete memo | | [E] Edit memo | | [Q] Quit | +------------------------------------------------------------------------------+ (CMD)>>> A (SIZE)>>> 257 (CONTENT)>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Added. +------------------------------------------------------------------------------+ # INDEX: 1 # CONTENT: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ``` ``` root@kali:~/Desktop# python -c "print len('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')" 256 ``` 256文字以上は保存されない