Find file History
Latest commit 37f8015 Jul 12, 2017
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
solution
README.md poliwars Jul 11, 2017
banner.txt
bwing.txt poliwars Jul 11, 2017
deathstar.txt
falcon.txt poliwars Jul 11, 2017
poli_wars
poli_wars.c poliwars Jul 11, 2017
xwing.txt
z95.txt poliwars Jul 11, 2017

README.md

Poli Wars

A not so long time ago, in a galaxy not so far away..

How to build

gcc -m32 -o poli_wars poli_wars.c ; strip poli_wars

How to run

socat tcp-l:some_port,reuseaddr,fork exec:"./poli_wars"

How to solve

*** SPOILER ALERT ***

See pwnpoli_wars

In a nutshell:

  1. House of Mind heap exploitation technique (Reference - FastBin Method) is used to set global variable which controls falcon deployment to a value != 0. Bwings are used for padding heap to correct position. Xwing to overwrite top chunk size.
  2. The particular ship_name of the z95 fighter (z95;) allow us to preapare a structure with z95;/bin/sh\x00 as first 3 params to bee freed later.
  3. Falcon allow us to leak all we need (got and libc addresses).
  4. Falcon is also vulnerable to heap overflow with no check thus allowing us to use House of Force technique.
  5. 'Houseforcing' into got allow us to replace free address with system.
  6. Sending our z95 spacecraft alone to face deathstar results in shell.