0x0 Introduction
Medium
I’m awfully hungry, with all these options to choose from, what should I order?
Connect
nc breakfast.sdc.tf 1337
By green beans
files: BreakfastMenu
0x1 Mitigation
1 | Arch: amd64-64-little |
0x2 Vulnerability
In short, binary have a Use-After-Free (UAF) vulnerability. Allow us to edit the heap after we free the heap.
Moreover, the dangling pointers are global variable. Therefore we can utilze the single linked list in heap and do a write on the address we want.
The basic idea of this challenge is first replace free
with puts
to leak libc address, then replace free
with system
, call system("/bin/sh")
to get shell
- malloc malloc free free to create a single linked list in heap
- edit obj.orders[1], write address of obj.orders in it
- malloc malloc. now obj.orders[2] point to a heap, obj.order.[3] point to obj.orders[0]
- edit order[2], write
/bin/sh\x00
into the heap - edit order[3] to got.free => obj.orders[0] will change to got.free
- edit obj.orders[0] to got.puts, this replace function
free
with functionputs
- edit obj.orders[3] to got.printf
- free(obj.orders[0]) this will call puts(got.printf) and leak libc address
- edit obj.orders[3] to got.free, then edit obj.orders[0], replace
free
withsystem
- free(obj.orders[2]), this will call
system("/bin/sh")
and give us a shell.
0x3 Exploit
1 | from pwn import * |
0x4 Flag
sdctf{Th3_m05t_1Mp0Rt4nT_m34L_0f_th3_d4Y}