Articles

First of All In Preparation…

Challenges [web]secure-page ... if admin == '': headers['set-cookie'] = 'admin=false' if admin == 'true': return (200, ''' <title>Secure Page</title> <link rel="stylesheet" href="/style.css" /> <div class="container"> <h1>Secure Page</h1> %s</div> ''' % os.environ.get('FLAG', 'flag is missing!'), headers) ... Just set Cookie: admin=true in the Header and send request. curl -H 'Cookie: admin=true' https://secure-page.mc.ax hope{signatures_signatures_signatures} [web]reverser Template Injection is likely to occur at the following. @app.post('/') def reverse(): ....

Plan Overwrite the function pointer with system function by Use After Free. About CAWSAY struct In freed chunk, fn_dialogue is assigned to fd and message is assigned to bk. typedef struct { void (*fn_dialogue)(char*); char *message; } COWSAY; Also, you pay attention to execute cowsay->fn_dialogue(cowsay->message); in L167~171 in main.c. case 1: /* Use cowsay */ printf("[+] You're trying to call 0x%016lx\n", (addr)cow say->fn_dialogue); cowsay->fn_dialogue(cowsay->message); break; malloced chunk When it malloced, Heap area is following....

Plan Overwrite under chunk’s fd pointer by Heap Overflow, and then call win function by tcache poisoning. Preparation Malloced and then, it connects area freed of B to tcache. -=-=-=-=-= TCACHE -=-=-=-=-= [ tcache (for 0x20) ] || \/ [ 0x000055dfd3002350(rw-) ] || \/ [ END OF TCACHE ] -=-=-=-=-=-=-=-=-=-=-=-=-=-= Vulnerability Vulnerability is Heap Overflow. You can write 0x80 byte to a chunk for 0x18. Overwrite B’s fd pointer Now, there isn’t a freed chunk which connects to the next because the freed chunk’s fd is NULL....